Stephanie Weirich (Ed.) 


LNCS 14576 


33rd European Symposium on Programming, ESOP 2024 
Held as Part of the European Joint Conferences 


on Theory and Practice of Software, ETAPS 2024 
Luxembourg City, Luxembourg, April 6-11, 2024 
Proceedings, Part | 


A Springer OPEN ACCESS 


Lecture Notes in Computer Science 14576 


Founding Editors 


Gerhard Goos, Germany 
Juris Hartmanis, USA 


Editorial Board Members 


Elisa Bertino, USA Bernhard Steffen®, Germany 
Wen Gao, China Moti Yung@, USA 


Advanced Research in Computing and Software Science 


Subline of Lecture Notes in Computer Science 


Subline Series Editors 


Giorgio Ausiello, University of Rome ‘La Sapienza’, Italy 
Vladimiro Sassone, University of Southampton, UK 


Subline Advisory Board 


Susanne Albers, TU Munich, Germany 

Benjamin C. Pierce, University of Pennsylvania, USA 
Bernhard Steffen®, University of Dortmund, Germany 

Deng Xiaotie, Peking University, Beijing, China 

Jeannette M. Wing, Microsoft Research, Redmond, WA, USA 


More information about this series at https://link.springer.com/bookseries/558 


Stephanie Weirich 
Editor 


Programming 
Languages 
and Systems 


33rd European Symposium on Programming, ESOP 2024 
Held as Part of the European Joint Conferences 

on Theory and Practice of Software, ETAPS 2024 
Luxembourg City, Luxembourg, April 6-11, 2024 
Proceedings, Part I 


GÀ Springer 


Editor 
Stephanie Weirich® 


University of Pennsylvania 
Philadelphia, PA, USA 


ISSN 0302-9743 ISSN 1611-3349 (electronic) 
Lecture Notes in Computer Science 
ISBN 978-3-031-57261-6 ISBN 978-3-031-57262-3 (eBook) 


https://doi.org/10.1007/978-3-03 1-57262-3 
© The Editor(s) (if applicable) and The Author(s) 2024. This book is an open access publication. 


Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International 
License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution 
and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and 
the source, provide a link to the Creative Commons license and indicate if changes were made. 

The images or other third party material in this book are included in the book’s Creative Commons license, 
unless indicated otherwise in a credit line to the material. If material is not included in the book’s Creative 
Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, 
you will need to obtain permission directly from the copyright holder. 

The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication 
does not imply, even in the absence of a specific statement, that such names are exempt from the relevant 
protective laws and regulations and therefore free for general use. 

The publisher, the authors and the editors are safe to assume that the advice and information in this book are 
believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors 
give a warranty, expressed or implied, with respect to the material contained herein or for any errors or 
omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in 
published maps and institutional affiliations. 


This Springer imprint is published by the registered company Springer Nature Switzerland AG 
The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland 


Paper in this product is recyclable. 


ETAPS Foreword 


Welcome to the 27th ETAPS! ETAPS 2024 took place in Luxembourg City, the 
beautiful capital of Luxembourg. 

ETAPS 2024 is the 27th instance of the European Joint Conferences on Theory and 
Practice of Software. ETAPS is an annual federated conference established in 1998, 
and consists of four conferences: ESOP, FASE, FoSSaCS, and TACAS. Each con- 
ference has its own Program Committee (PC) and its own Steering Committee (SC). 
The conferences cover various aspects of software systems, ranging from theoretical 
computer science to foundations of programming languages, analysis tools, and formal 
approaches to software engineering. Organising these conferences in a coherent, highly 
synchronized conference programme enables researchers to participate in an exciting 
event, having the possibility to meet many colleagues working in different directions in 
the field, and to easily attend talks of different conferences. On the weekend before the 
main conference, numerous satellite workshops took place that attracted many 
researchers from all over the globe. 

ETAPS 2024 received 352 submissions in total, 117 of which were accepted, 
yielding an overall acceptance rate of 33%. I thank all the authors for their interest in 
ETAPS, all the reviewers for their reviewing efforts, the PC members for their con- 
tributions, and in particular the PC (co-)chairs for their hard work in running this entire 
intensive process. Last but not least, my congratulations to all authors of the accepted 
papers! 

ETAPS 2024 featured the unifying invited speakers Sandrine Blazy (University of 
Rennes, France) and Lars Birkedal (Aarhus University, Denmark), and the invited 
speakers Ruzica Piskac (Yale University, USA) for TACAS and Jérôme Leroux 
(Laboratoire Bordelais de Recherche en Informatique, France) for FoSSaCS. Invited 
tutorials were provided by Tamar Sharon (Radboud University, the Netherlands) on 
computer ethics and David Monniaux (Verimag, France) on abstract interpretation. 

As part of the programme we had the first ETAPS industry day. The goal of this day 
was to bring industrial practitioners into the heart of the research community and to 
catalyze the interaction between industry and academia. The day was organized by 
Nikolai Kosmatov (Thales Research and Technology, France) and Andrzej Wasowski 
(IT University of Copenhagen, Denmark). 

ETAPS 2024 was organized by the SnT - Interdisciplinary Centre for Security, 
Reliability and Trust, University of Luxembourg. The University of Luxembourg was 
founded in 2003. The university is one of the best and most international young 
universities with 6,000 students from 130 countries and 1,500 academics from all over 
the globe. The local organisation team consisted of Peter Y.A. Ryan (general chair), 
Peter B. Roenne (organisation chair), Maxime Cordy and Renzo Gaston Degiovanni 
(workshop chairs), Magali Martin and Isana Nascimento (event manager), Marjan 
Skrobot (publicity chair), and Afonso Arriaga (local proceedings chair). This team also 
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organised the online edition of ETAPS 2021, and now we are happy that they agreed to 
also organise a physical edition of ETAPS. 

ETAPS 2024 is further supported by the following associations and societies: 
ETAPS e.V., EATCS (European Association for Theoretical Computer Science), 
EAPLS (European Association for Programming Languages and Systems), and EASST 
(European Association of Software Science and Technology). 

The ETAPS Steering Committee consists of an Executive Board, and representa- 
tives of the individual ETAPS conferences, as well as representatives of EATCS, 
EAPLS, and EASST. The Executive Board consists of Marieke Huisman (Twente, 
chair), Andrzej Wasowski (Copenhagen), Thomas Noll (Aachen), Jan Kofron (Prague), 
Barbara König (Duisburg), Arnd Hartmanns (Twente), Caterina Urban (Inria), Jan 
Křetínský (Munich), Elizabeth Polgreen (Edinburgh), and Lenore Zuck (Chicago). 

Other members of the steering committee are: Maurice ter Beek (Pisa), Dirk Beyer 
(Munich), Artur Boronat (Leicester), Luis Caires (Lisboa), Ana Cavalcanti (York), 
Ferruccio Damiani (Torino), Bernd Finkbeiner (Saarland), Gordon Fraser (Passau), 
Arie Gurfinkel (Waterloo), Reiner Hahnle (Darmstadt), Reiko Heckel (Leicester), 
Marijn Heule (Pittsburgh), Joost-Pieter Katoen (Aachen and Twente), Delia Kesner 
(Paris), Naoki Kobayashi (Tokyo), Fabrice Kordon (Paris), Laura Kovacs (Vienna), 
Mark Lawford (Hamilton), Tiziana Margaria (Limerick), Claudio Menghi (Hamilton 
and Bergamo), Andrzej Murawski (Oxford), Laure Petrucci (Paris), Peter Y.A. Ryan 
(Luxembourg), Don Sannella (Edinburgh), Viktor Vafeiadis (Kaiserslautern), Stepha- 
nie Weirich (Pennsylvania), Anton Wijs (Eindhoven), and James Worrell (Oxford). 

I would like to take this opportunity to thank all authors, keynote speakers, atten- 
dees, organizers of the satellite workshops, and Springer Nature for their support. 
ETAPS 2024 was also generously supported by a RESCOM grant from the Luxem- 
bourg National Research Foundation (project 18015543). I hope you all enjoyed 
ETAPS 2024. 

Finally, a big thanks to both Peters, Magali and Isana and their local organization 
team for all their enormous efforts to make ETAPS a fantastic event. 


April 2024 Marieke Huisman 
ETAPS SC Chair 
ETAPS e.V. President 


Preface 


These proceedings volumes contain papers that were presented at the 33rd European 
Symposium on Programming (ESOP 2024), held during April 6-11 in Luxembourg 
City, Luxembourg, along with associated artifact reports. ESOP is part of the European 
Joint Conferences on Theory and Practice of Software (ETAPS) and promotes the 
specification, design, analysis and implementation of programming languages and 
systems. 

In total, these two volumes include 25 research papers, one “fresh perspective” and 
four “artifact reports”. The latter two paper categories are new to ESOP. In addition to 
standard research papers, the ESOP 2024 call-for-papers included the new submission 
categories: “fresh perspectives” that provide new insights in a particularly elegant way 
and “experience reports” that describe tools and systems used in practice. Furthermore, 
authors of accepted papers were allowed to submit short “artifact reports”, to appear 
together with their research papers, that describe associated software, tools, data sets, or 
machine checked proofs to substantiate the claims made in their papers. 

The papers in this volume were selected from 66 papers submitted in the research 
paper category and 6 papers submitted in the “fresh perspectives” category. There were 
no submissions for “experience reports”. While papers in these new categories had 
strict formatting requirements, ESOP 2024 allowed research papers to be submitted in 
any format, of any length, under the advisement that the final paper should be formatted 
to fit this volume. Fourteen submissions took advantage of this flexibility. 

Each submitted paper received at least three reviews by the members of the ESOP 
program committee. The median PC member was assigned eight papers to review over 
the seven week review period. In some cases, PC members solicited additional reviews 
to aid in the decision making process. In total, 39 external reviewers added their insight 
to the paper selection process. ESOP employed full double-blind review and author 
identities were only revealed to reviewers on paper acceptance. Authors were also 
given a chance to respond to their reviews, before the program was selected through a 
two week online, asynchronous PC meeting, facilitated by the EasyChair system. The 
program chair had no conflicts with any submitted paper. 

ESOP 2024 also employed an artifact evaluation process. Nineteen of the 26 
accepted papers elected to make their artifacts available on the archive sites Zenodo and 
figshare. The committee awarded the badge “Functional” to five of these and the 
badges “Functional and reusable” to the remaining fourteen. Four accepted papers in 
this volume are accompanied by artifact reports. These reports were all accepted fol- 
lowing a light review by both the program committee and the ESOP/FASE/FoSSaCS 
joint artifact evaluation committee. 

Indeed, my sincere thanks go to all who worked together to produce this event and 
its proceedings. Foremost, to the authors, who provided the technical content of the 
meeting. Also to the program committee, artifact evaluation committee, and external 
reviewers, who provided their well-reasoned and detailed judgments, sometimes on 
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short notice. Tobias Kappé as the representative for ESOP among the artifact evalu- 
ation committee co-chairs, deserves particular thanks. I also would like to thank the 
ETAPS steering committee and its chair Marieke Huisman, the Proceedings coordi- 
nator Barbara König and the local proceedings chair Afonso Delerue Arriaga, and 
webmaster Jan Kofroň for their assistance in fitting ESOP together with the entire 
ETAPS meeting. Finally, thanks are due to the members of the ESOP steering com- 
mittee. In particular, Luis Caires, as chair of the SC, was a constant source of support, 
encouragement, information and guidance. 


April 2024 Stephanie Weirich 
ESOP PC Chair 
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Scoped Effects as Parameterized Algebraic 
Theories 


Sam Lindley!®, Cristina Matache!(), Sean Moss”, Sam Staton’, 
Nicolas Wu*@®, and Zhixuan Yang*® 


University of Edinburgh, Edinburgh, UK 
{sam. Lindley, cristina.matache}@ed.ac.uk 
? University of Birmingham, Birmingham, UK 

s.k.moss@bham.ac.uk 
3 University of Oxford, Oxford, UK 
sam.staton@cs.ox.ac.uk 
4 Imperial College London, London, UK 


{n.wu,S.yang20}@imperial.ac.uk 


Abstract. Notions of computation can be modelled by monads. Alge- 
braic effects offer a characterization of monads in terms of algebraic 
operations and equational axioms, where operations are basic program- 
ming features, such as reading or updating the state, and axioms specify 
observably equivalent expressions. However, many useful programming 
features depend on additional mechanisms such as delimited scopes or 
dynamically allocated resources. Such mechanisms can be supported via 
extensions to algebraic effects including scoped effects and parameter- 
ized algebraic theories. We present a fresh perspective on scoped effects 
by translation into a variation of parameterized algebraic theories. The 
translation enables a new approach to equational reasoning for scoped 
effects and gives rise to an alternative characterization of monads in 
terms of generators and equations involving both scoped and algebraic 
operations. We demonstrate the power of our fresh perspective by way of 
equational characterizations of several known models of scoped effects. 


Keywords: algebraic effects - scoped effects - monads - category theory 
- algebraic theories. 


1 Introduction 


The central idea of algebraic effects [29] is that impure computation can be built 
and reasoned about equationally, using an algebraic theory. Effect handlers [28] 
are a way of implementing algebraic effects and provide a method for modu- 
larly programming with different effects. More formally, an effect handler gives 
a model for an algebraic theory. In this paper we develop equational reasoning 
for a notion arising from an extension of handlers, called scoped effects, using 
the framework of parameterized algebraic theories. 

The central idea of scoped effects (Sec. 2.2) is that certain parts of an im- 
pure computation should be dealt with one way, and other parts another way, 
© The Author(s) 2024 
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inspired by scopes in exception handling. Compared to algebraic effects, the cru- 
cial difference is that the scope on which a scoped effect acts is delimited. This 
difference leads to a complex relationship with monadic sequencing (>=). The 
theory and practice of scoped effects [41,23,42,5,40,43] has primarily been studied 
by extending effect handlers to deal with not just algebraic operations, but also 
more complex scoped operations. They form the basis of the fused-effects and 
polysemy libraries for Haskell. Aside from exception handling, other applications 
include back-tracking in parsing [41] and timing analysis in telemetry [39]. 

Parameterized algebraic theories (Sec. 2.3) extend plain algebraic theories 
with variable binding operations for an abstract type of parameters. They have 
been used to study various resources including logic variables in logic program- 
ming [35], channels in the z-calculus [36], code pointers [7], qubits in quantum 
programming [38], and urns in probabilistic programming [34]. 


Contributions. We propose an equational perspective for scoped effects where 
scopes are resources, by analogy with other resources like file handles. We develop 
this perspective using the framework of parameterized algebraic theories, which 
provides an algebraic account of effects with resources and instances. We realize 
scoped effects by encoding the scopes as resources with open/close operations, 
analogous to opening/closing files. This fresh perspective provides: 


— the first syntactic sound and complete equational reasoning system for scoped 
effects, based on the equational reasoning for parameterized algebraic theo- 
ries (Prop. 2, Prop. 3); 

— a canonical notion of semantic model for scoped effects supporting three 
key examples from the literature: nondeterminism with semi-determinism 
(Thm. 2), catching exceptions (Thm. 3), and local state (Thm. 4); and 

— a reconstruction of the previous categorical analysis of scoped effects via 
the categorical analysis of parameterized algebraic theories: the constructors 
(<,>) are shown to be not ad hoc, but rather the crucial mechanism for 
arities/coarities in parameterized algebraic theories (Thm. 1). 


Example: nondeterminism with semi-determinism. ia 

We now briefly illustrate the intuition underlying the con- or 

nection between scoped effects and parameterized alge- fail i br 

braic theories through an example. (See Examples 1 and 4 

for further details.) Let us begin with two algebraic bane ran 
operations: or(x, y), which nondeterministically chooses 1 23 4 


between continuing? as computation x or as computa- 
tion y, and fail, which fails immediately. We add semi- 
determinism in the form of a scoped operation once(a), which chooses the first 
branch of the computation x that does not fail. Importantly, the scope that once 


Fig. 1. Illustrating (1) 


5 This continuation-passing style is natural for algebraic effects, but when program- 
ming one often uses equivalent direct-style generic effects [25] such as or : unit > 
bool, where or(z, y) can be recovered by pattern matching on the result of or. 
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acts on is delimited. The left program below returns 1; the right one returns 1 
or 2, as the second or is outside the scope of once. 


once(or(or(1, 2), or(3, 4))) once(or(1,3)) >= Ax. or(x, x + 1) 
Now consider a slightly more involved example, which also returns 1 or 2: 
once(or(fail, or(1,3))) >= Aw. or(x, x + 1) (1) 


depicted as a tree in Fig. 1 where the red box delimits the scope of once. We 
give an encoding of term (1) in a parameterized algebraic theory as follows: 


once(a.or(fail, or(close(a, or(1, 2)), close(a, or(3, 4))))) (2) 


where a is the name of the scope opened by once and closed by the special close 
operation. By equational reasoning for scoped effects (§3) and the equations for 
nondeterminism (Fig. 2), we can prove that the term (2) is equivalent to or(1, 2). 


2 Background 


2.1 Algebraic effects 


Moggi [20,21] shows that many non-pure features of programming languages, 
typically referred to as computational effects, can be modelled uniformly as mon- 
ads, but the question is — how do we construct a monad for an effect, or putting 
it differently, where do the monads modelling effects come from? A classical result 
in category theory is that finitary monads over the category of sets are equivalent 
to algebraic theories [16,15]: an algebraic theory gives rise to a finitary monad by 
the free-algebra construction, and conversely every finitary monad is presented 
by a certain algebraic theory. Motivated by this correspondence, Plotkin and 
Power [26] show that many monads that are used for modelling computational 
effects can be presented by algebraic theories of some basic effectful operations 
and some computationally natural equations. This observation led them to the 
following influential perspective on computational effects [26], which is nowadays 
commonly referred to as algebraic effects: 


Perspective 1 ([26]). An effect is realized by an algebraic theory of its basic 
operations, so it determines a monad but is not identified with the monad. 


We review the framework in a simple form here; see [27,2] for more discussion. 


Definition 1. A (first-order finitary) algebraic signature X = (|X|, ar) con- 
sists of a set |X|, whose elements are referred to as operations, together with a 
mapping ar : |X| — N, associating an arity to each operation. 


Given a signature X = (|X|, ar), we will write O : n for an operation O € || 
with ar(O) = n. The terms Tms(T) in a context I’, which is a finite list of 
variables, are inductively generated by the following rules: 

(O:n) CF ¢, fori=1l...n 
I,a,I’+ x PE O(,..-,tn) 
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As usual we will consider terms up to renaming of variables. Thus a context 
I = (x1,..., £n) can be identified with the natural number n, and Tms can be 
thought of as a function N —> Set. 


Example 1. The signature of explicit nondeterminism has two operations: 
or: 2 fail : 0. 
Some small examples of terms of this signature are 
F fail x,y,z or(x, or(y, z)) x,y,z or(or(, y), fail) 
Example 2. The signature of mutable state of a single bit has operations: 
put? : 1 put! : 1 get: 2. 


The informal intuition for a term I’ H put’(t) is a program that writes the bit 
i € {0,1} to the mutable state and then continues as another program t, and a 
term IF get(to,t1) is a program that reads the state, and continues as t; if the 
state is i. For example, the term z, y + put?(get(z, y)) first writes 0 to the state, 
then reads 0 from the state, so always continues as x. For simplicity we consider 
a single bit, but multiple fixed locations and other storage are possible [26]. 


Definition 2. A (first-order finitary) algebraic theory T = (X, E) is a signature 
X (Def. 1) and a set E of equations of the signature X, where an equation is a 
pair of terms "+ L and °F R under some context I. We will usually write an 
equation as CFF L=R. 


Example 3. The theory of exception throwing has a signature containing a single 
operation throw : 0 and no equations. The intuition for throw is that it throws 
an exception and the control flow never comes back, so it is a nullary operation. 


Example 4. The theory of explicit nondeterminism has the signature in Exam- 
ple 1 and the following equations saying that fail and or form a monoid: 


xt or(fail,z) =a at or(a,fail) =a x,y,z or(x, or(y, z)) = or(or(z, y), z) 


Example 5. The theory of mutable state has the signature in Example 2 and the 
following equations for all i, i’ € {0,1}: 


To, £1 F put’ (get(ao, £1)) = put’ (a) x H put’ (put” («)) = put” (x) 
ab get(put?(x), put (x)) = x 


Every algebraic theory gives rise to a monad by the free-algebra construction, 
which we will discuss in a more general setting in Section 3. The three examples 
above respectively give rise to the monads (1+-—), List, (— x 2)? on the category 
of sets that are used to give semantics to the respective computational effects in 
programming languages [20,21]. In this way, the monad for a computational effect 
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is constructed in a very intuitive manner, and this approach is highly composable: 
one can take the disjoint union of two algebraic theories to combine two effects, 
and possibly add more equations to characterise the interaction between the two 
theories [12]. By contrast, monads are not composable in general. 

The kind of plain algebraic theory encapsulated by Def. 2 above is not, how- 
ever, sufficiently expressive enough for some programming language applications. 
In this paper we focus on two problems with plain algebraic theories: 


1. Firstly, monadic bind for the monad generated by an algebraic theory is 
essentially defined using simultaneous substitution of terms: given a term 
t € Tm(T) in a context I’ and a mapping o : I > Tm(I”) from variables 
in I’ to terms in some context I’, the simultaneous substitution of ø in t is 
t{o] where 


z|o] = a(x) O(t1,...,tn)[o] = O(fi[o],...,tnlo]). 


On the other hand, bind for a monad is used for interpreting sequential 
composition of computations. Therefore, the second clause above implies that 
every algebraic effect operation must commute with sequential composition. 
However, in practice not every effectful operation enjoys this property. 

2. Secondly, it is common to have multiple instances of a computational effect 
that can be dynamically created. For example, it is typical in practice to 
have an effectful operation openFile that creates a ‘file descriptor’ for a file 
at a given path, and for each file descriptor there is a pair of read and write 
operations that are independent of those for other files. 


These two restrictions have been studied separately, and different extensions 
to algebraic theories generalising Def. 2 have been proposed for each: scoped 
algebraic effects for the first problem above and parameterized algebraic effects 
for the second. At first glance, the two problems seem unrelated, but the fresh 
perspective of this paper is that scoped effects can be fruitfully understood as a 
non-commutative linear variant of parameterized effects. 


2.2  Scoped effects 


Recall that our first problem with plain algebraic theories is that operations must 
commute with sequential composition. Therefore an operation O(a1,...,@n) is 
‘atomic’ in the sense that it may not delimit a fresh scope. Alas, in practice 
it is not uncommon to have operations that do delimit scopes. An example is 
exception catching: catch(p, h) is a binary operation on computations that first 
tries the program p and if p throws an exception then h is run. The catch 
operation does not commute with sequential composition as catch(p,h) >= f 
behaves differently from catch(p >= f,h >= f). The former catches only the 
exceptions in p whereas the latter catches exceptions both in p and in f. Further 
examples include operations such as opening a file in a scope, running a program 
concurrently in a scope, and looping a program in a scope. 
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Operations delimiting scopes are treated as handlers (i.e. models) of algebraic 
operations by Plotkin and Pretnar [28], instead of operations in their own right. 
The following alternative perspective was first advocated by Wu et al. [41]. 


Perspective 2 ([41]). Scoped operations are operations that do not commute 
with substitution, since sequential composition in monads generated from alge- 
braic theories corresponds to substitution. Such operations arise in contexts other 
than computational effects as well, for example, the later modality in guarded 
dependent type theory (GDTT) [4]. 


Extensions of algebraic effects to accommodate scoped operations were first 
studied by Wu et al. [41] in Haskell, where the authors proposed two approaches: 


1. The bracketing approach uses a pair of algebraic operations begin, and end, 
to encode a scoped operation s. For example, the program s(put®); put! (x), 
where put? is wrapped in the scope of s, is encoded formally as 


begin, (put? (end, (put! (£)))). 


2. The higher-order abstract syntax (HOAS) approach directly constructs a 
monad for programs with algebraic and scoped operations. In Haskell, their 
monad for programs with algebraic operations parameterized by a signature 
functor asig and scoped operations parameterized by a functor ssig is 


data Prog a where 


Ret :: a -> Prog a 
Alg :: asig (Prog a) -> Prog a 
Scp :: forall x. ssig (Prog x) -> (x -> Prog a) -> Prog a 


where Scp p f represents a scoped operation acting on a program p followed 
by a program f after the scope (cf delayed substitution in GDTT [4]). 


The HOAS approach was regarded the more principled one since in the first 
approach ill bracketed pairs of begin, and end, are possible, such as 


end, (put? (begin, (begin, (put’(z))))). 


In subsequent work, both of these two approaches received further development 
[23,43,40,42] and operational semantics for scoped effects has also been developed 
[5]. Of particular relevance to the current paper is the work of Piróg et al. [23], 
which we briefly review in the rest of this section. 

Piróg et al. [23] fix the ill-bracketing problem in the bracketing approach by 
considering the category Set whose objects are sequences X = (X(0), X(1),...) 
of sets and morphisms are just sequences of functions. Given X € Set, the idea 
is that X(n) represents a set of terms at bracketing level n for every n € N. 

On this category, there are two functors (>), (<) : Set — Set’, pronounced 
‘later’ and ‘earlier’, that shift the bracketing levels: 


(> X)(0) = 9, (> X)(n +1) = X(n), (aX)(n) = X(n+1). (3) 
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These two functors are closely related to bracketing: a morphism b : 4X > X 
for a functor X opens a scope, turning a term t at level n+1 to the term begin(t) 
at level n. Conversely, a morphism e : > X — X closes a scope, turning a term t 
outside the scope, so at level n — 1, to the term end(t) at level n. 

Given two signatures X and X” as in Def. 1 for algebraic and scoped opera- 
tions respectively, let X, X : Set — Set be the functors given by 


(YX)(n) = Iesi X(n)™® and (X'X)(n) = Mses Xna, 
Moreover, for every A € Set, let |A € Set be given by 
([A)(0) = A (TA)(n + 1) =0, 
and conversely for every X € Set, let | X € Set be given by |X = X(0). 


Proposition 1 (Piróg et al. [23]). The following functor can be extended to 
a monad that is isomorphic to the monad Prog in the HOAS approach above: 


| o ($+ (3% 04) +p)" of: Set Set 
where (—)* is the free monad over an endofunctor. 


The monad from Prop. 1 is a way of specifying the syntax of programs with 
algebraic and scoped operations, without taking into account equations. In [23], 
a model of a scoped effect is an algebra for the monad (X + (3 o<) + >)”. In 
Thms. 2-4, we show that three examples of models from [23] are free algebras 
on | A € Set for an appropriate set of equations for each example. 


2.3 Parameterized algebraic theories 


Recall that our second problem with plain algebraic theories is that they do not 
support the dynamic creation of multiple instances of computational effects. This 
problem, sometimes known as the local computational effects problem, was first 
systematically studied by Power [32] in a purely categorical setting. A syntactic 
framework extending that of algebraic theories, called parameterized algebraic 
theories, was introduced by Staton [35,36] and is used to give an axiomatic 
account of local computational effects such as restriction [24], local state [26], 
and the -calculus [19,33]. 

Operations in a parameterized theory are more general than those in an 
algebraic theory because they may use and create values in an abstract type 
of parameters. The parameter type has different intended meanings for differ- 
ent examples of parameterized theories, typically as some kind of resource such 
as memory locations or communication channels. In this paper, we propose to 
interpret parameters as names of scopes. 


Perspective 3. Scoped operations can be understood as operations allocating 
and consuming instances of a resource: the names of scopes. 
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In the case of local state, the operations of Example 2 become get(a, £o, 71) 
and put’(a,x), now taking a parameter a which is the location being read or 
written to. In a sense, each memory location a represents an instance of the state 
effect, with its own get and put operations. We also have a term new’ (a.x(a)) 
which allocates a fresh location named a storing an initial value 7, then continues 
as x; the computation x might mention location a. The following is a possible 
equation, which says that reading immediately after allocating is redundant: 


new’ (a.get(a, xo(a), xı (a))) = new’ (a.2;(a)). 


For the full axiomatization of local state see [36, §V.E]. A closed term can only 
mention locations introduced by new’, meaning that type of locations is abstract. 

To model scoped operations, we think of them as allocating a new scope. For 
example, the scoped operation once, which chooses the first non-failing branch 
of a nondeterministic computation, is written as once(a.a(a)). It creates a new 
scope a and proceeds as x. As in §1, there is an explicit operation close(a, x) for 
closing the scope a and continuing as x. 

Well-formed programs close scopes precisely once and in the reverse order to 
their allocation. Thus in §3 we will discuss a non-commutative linear variation 
of parameterized algebraic theories needed to model scoped effects. With our 
framework we then give axiomatizations for examples from the scoped effects 
literature (Thms. 2-4). 

Our parameters are linear in the same sense as variables in linear logic and lin- 
ear lambda calculi e.g. [11,3], but with an additional non-commutativity restric- 
tion. Non-commutative linear systems are also known as ordered linear systems 
e.g. [30,22]. A commutative linear version of parameterized algebraic theories 
was considered in [38] to give an algebraic theory of quantum computation; in 
this case, parameters stand for qubits. 


Remark 1. Parameterized algebraic theories characterize a certain class of en- 
riched monads [35], extending the correspondence between algebraic theories 
and monads on the category of sets, and the idea of Plotkin and Power [26] that 
computational effects give rise to monads (see §2.1). Thus, the syntactic frame- 
work of parameterized theories has a canonical semantic status. We can use the 
monad arising from a parameterized theory to give semantics to a programming 
language containing the effects in question. 


The framework of parameterized algebraic theories is related to graded theo- 
ries [13], which also use presheaf-enrichment; second-order algebra [8,9,10], which 
also use variable binding; and graphical methods [17], which also connect to 
presheaf categories. 


3 Parameterized theories of scoped effects 


In order to describe scoped effects we use a substructural version of param- 
eterized algebraic theories [35]. A theory consists of a signature (Def. 3) and 
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x:0,y:0,2:0|—F or(or(z, y), z) = or(a, or(y, z)) (4) 
x:0|—F or(a, fail) = x x:0|—F or(fail, x) = x (5) 
— | — F once(a.fail) = fail x:1| — F once(a.or(x(a), x(a))) = once(a.x(a)) (6) 

) 


z:0 | — H once(a.close(a,x)) =a 2:0, y:1 | — + once(a.or(close(a, x), y(a))) =x (7 


Fig. 2. The parameterized theory of explicit nondeterminism (4-5) and once (6-7). 
Terms-in-context are defined further down. 


equations (Def. 4) between terms formed from the signature. Terms contain two 
kinds of variables: computation variables (x, y, ...), which each expect a certain 
number of parameters, and parameter variables (a, b, ...). In the case of scoped 
effects, a parameter represents the name of a scope. 


Definition 3. A (parameterized) signature X = (|X|, ar) consists of a set of 
operations |X| and for each operation O € |X| a parameterized arity ar(O) = 
(p|m,...mMz) consisting of a natural number p and a list of natural numbers 
M1,-.-,M~. This means that the operation O takes in p parameters and k con- 
tinuations, and it binds m; parameters in the i-th continuation. 


Remark 2. Given signatures for algebraic and scoped operations, as in Def. 1 
and §2.2, we can translate them to a parameterized signature as follows: 


— for each algebraic operation (op : k) of arity k € N, there is a parameterized 
operation with arity (0 | 0...0), where the list 0...0 has length k; 

— for each scoped operation (sc : k) of arity k € N, there is a parameterized 
operation sc : (0 | 1...1), where the list 1...1 has length k; 

— there is an operation close : (1 | 0), which closes the most recent scope, and 
which all the different scoped operations share. 


Example 6. The algebraic theory of explicit nondeterminism in Example 1 can 
be extended with a semi-determinism operator once: 


or : (0 | 0,0) once : (0 | 1) fail : (0 | —) close : (1 | 0) 


The continuation of once opens a new scope, by binding a parameter. Inside this 
scope, only the first successful branch of or is kept. The term formation rules 
below allow the most recently opened scope to be closed using the close operation 
by consuming the most recently bound parameter; close has one continuation 
which does not depend on any parameters. See Fig. 2 for equations. 


For a given signature, we define the terms-in-context of algebra with non- 
commutative linear parameters. A context I of computation variables is a finite 
list £1 : P1,..-, En : Pn, where each variable x; is annotated with the number 
pi of parameters it consumes. A context A of parameter variables is a finite list 
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@1,..+,;@m. Terms I | AF t are inductively generated by the following two rules. 


Pap inc Gn F x(a1 ... ap) 


I | A, bi... bm, F ti sae I | A, by... bm, F tk O: (p| mi... mpg) 
T | A, a4 +++ Ap H O(a, +++ Qp, by ns Om, -b1 see by Om, th) 


In the conclusion of the last rule, the parameters a1 ... ap are consumed by the 
operation O. The parameters bı ...b,, are bound in t;. As usual, we treat all 
terms up to renaming of variables. 

The context I’ of computation variables admits the usual structural rules: 
weakening, contraction, and exchange; the context A of parameters does not. All 
parameters in A must be used exactly once, in the reverse of the order in which 
they appear. Intuitively, a parameter in A is the name of an open scope, so the 
restrictions on A mean that scopes must be closed in the opposite order that 
they were opened, that is, scopes are well-bracketed. The arguments t1, ... , tx of 
an operation O are continuations, each corresponding to a different branch of 
the computation, hence they share the parameter context A. 

Compared to the algebra with linear parameters of [38], used for describing 
quantum computation, our syntactic framework has the additional constraint 
that A cannot be reordered. Given these constraints, the context A is in fact a 
stack, so inside a term it is unnecessary to refer to the variables in A by name. 
We have chosen to do so anyway in order to make more clear the connection to 
non-linear parameterized theories [35,36]. 

The syntax admits the following simultaneous substitution rule: 


(a1 :m,...a,:m,)| Akt 
T’ | A a1... am, F ti ibs T’ | i seas tie Ft 
| A’, Ar t|(A’, ay raga PC iby ice et a tı)/zı] 


(8) 


In the conclusion, the notation (A’,a1...dm, F ti)/xi emphasizes that the pa- 
rameters (@]...@m,) in t; are replaced by the corresponding parameters that x; 
consumes in t, either bound parameters or free parameters from A. To ensure 
that the term in the conclusion is well-formed, we must substitute a term that 
depends on A’ for all the computation variables in the context of t. 

An important special case of the substitution rule is where we add a number 
of extra parameter variables to the beginning of the parameter context, increas- 
ing the sort of each computation variable by the same number. The following 
example instance of (8), where ar(O) = (1 | 1), illustrates such a ‘weakening’ by 
adding two extra parameter variables a‘,a‘, and replacing x : 2 by 2’ : 4. 


x:2|a1,a2 F O(a, b.x(a1, d)) x’ :4| a}, ah, b1, b2 F x’ (a1, ag, b1, be) 


x’ :4|a),a5,a1, a2 F O(az, b.x (a), a, a1, b)) 


Definition 4. An algebraic theory T = (X, E) with non-commutative linear 
parameters is a parameterized signature X together with a set E of equations. 
An equation is a pair of terms in the same context (I | A) for some I and A. 
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We will omit the qualifier “with non-commutative linear parameters” where 
convenient and refer to “parameterized theories” or just “theories”. Given a the- 
ory T, we form a system of equivalence relations =; (rja) on terms in each 
context (I | A) by closing substitution instances of the axioms under reflexivity, 
symmetry, transitivity, and congruence. 


Example 7. As we mentioned earlier, exception catching is not an ordinary al- 
gebraic operation. As parameterized operations, the signature for throwing and 
catching exceptions is the following: 


throw : (0 | —) catch : (0 | 1,1) close : (1 | 0) 


The throw operation uses no parameters and takes no continuations. The catch 
operation uses no parameters and takes two continuations which each open a 
new scope, by binding a fresh parameter. Exceptions are caught in the first 
continuation, and are handled using the second continuation. 

The close operation uses one parameter and takes one continuation binding no 
parameters. The term close(a, x) closes the scope named by a and continues as zx. 
For example, in catch(a.close(a, x), b-y(b)), exceptions in x will not be caught, 
because the scope of the catch has already been closed. The equations are: 


y:0 |—F catch(a.throw, b.close(b, y)) = y (9) 
—|—F catch(a.throw, b.throw) = throw (10) 
x:0,y:1 | — H catch(a.close(a, x), b.y(b)) = x (11) 


Remark 3. The arity of catch from Ex. 7 corresponds to the signature used in [23, 
Ex. 4.5]. Using the extra flexibility of parameterized algebraic theories, we could 
instead consider the arity catch : (0 | 1,0). This seems more natural as there is no 
need to delimit a scope in the second continuation, which handles the exceptions. 


Example 8 (Mutable state with local values). The theory of (boolean) mutable 
state with one memory location (Ex. 2) can be extended with scoped operations 
local? and local’ that write respectively 0 and 1 to the state. Inside the scope of 
local, the value of the state just before the local is not accessible anymore, but 
when the local is closed the state reverts to this previous value. 


local’ : (0 | 1) put’ : (0 | 0) get : (0 | 0,0) close : (1 | 0) 


The equations for the parameterized theory of state with local comprise the usual 
equations for state [26,18]: 


z: 0|— F get(put?(z), put*(z)) =z 2:0|—F put*(put?(z)) = put?(z) (12) 
xo : 0,21: 0 | — F put®(get(xo, 21)) = put’ (x4) (13) 


together with equations for local/close, and the interaction with state: 


zx : 0 | — F local’(a.close(a,x)) = x (14) 
zo : 1,1 : 1 | — F local’(a.get(xo(a), 71(a))) = local (a.x;(a)) (15) 
z:1|—F local (a.putt (z(a))) = local’ (a.z(a)) (16) 
z : 0 | aF put’ (close(a, z)) = close(a, z) (17) 
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This extension of mutable state is different from the one discussed in §2.3, where 
memory locations can be dynamically created. 


4 Models of parameterized theories 


4.1 Models in Set 


Models of first-order algebraic theories [2] consist simply of a set together with 
specified interpretations of the operations of the signature, validating a (possibly 
empty) equational specification. The more complex arities and judgement forms 
of a parameterized theory require a correspondingly more complex notion of 
model. Rather than simply being a set of abstract computations, a model will 
now be stratified into a sequence of sets X = (X(0),X(1),...) € Set where 
X(n) represents computations taking n parameters. In §2.2 we described the use 
of Set’ in [23]. We connect the two approaches in Thm. 1 below. 

At first glance, a term z1 :m,...,2%% : Mz | @1,-..,@, F t should denote a 
function X (m1) x...x X(mk) > X(p), since a k-tuple of possible continuations 
that consume different numbers of parameters is mapped to a computation that 
consumes p parameters. However, the admissible substitution rule (8) shows us 
that actually such a term must also denote a sequence of functions 


[v1 : M1, .., Ek : Mk | a1,- , ap F tla in : X(nt+m)x...xX(n+mz) > X(n+p). 


Definition 5. Let X be a parameterized signature (Def. 3). A X-structure ¥ is 
an X € Set equipped with, for each O : (p | my,...m,) and n € N, a function 


Ox n: X(n +m) x...x X(n+ mgr) > X(n + p). 


The interpretation of terms is now defined by structural recursion in a stan- 
dard way, where the interpretation of a computation variable term such as 
Z1 : M1,..., Lk : Mk | A1,.--,@m, F Vi(Q1,.-.,@m,) is given by the sequence of 
product projections 


X(n+m4)x...x X(n+ mi) x... x X(n+ mpg) > X(n+ mj). 


Definition 6. Let T be a parameterized theory over the signature X. A X- 
structure X is a model of T if for every equation I | AF s =t in T, and every 
n € N, we have an equality of functions |I | AF s]an=L | AF tla .n- 


Proposition 2. The derivable equality (=r) in a parameterized algebraic the- 
ory T is sound: every T -model satisfies every equation of =r. 


Proof (notes). By induction on the structure of derivations. 


Remark 4. A more abstract view on models is based on enriched categories, since 
parameterized algebraic theories can be understood in terms of enriched Lawvere 
theories [31,14,35]. This is useful because, by interpreting algebraic theories in 
different categories, we can combine the algebra structure with other structure, 
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such as topological or order structure for recursion |1, §6], or make connec- 
tions with syntactic categories [37]. Recall that the category Set has a ‘Day 
convolution’ monoidal structure [6]: (X 8 Y)(n) = X mi 4mg—n X (M1) x Y (mə). 
With this structure, we can interpret a parameterized algebraic theory 7 in any 
Set enriched category C with products, powers, and copowers. A T-model in C 
comprises an object X € C together with, for each O : (p | mi ... Mg), a mor- 
phism y(p) - ([y(m1), X] x -++ x [y(m,), X]) > X, making a diagram commute 
for each equation in 7. (Here, we write y(m) = N(m,—), and (A - X) and 
[A, X] for the copower and power.) The elementary notion of model (Def. 6) is 
recovered because, for the symmetric monoidal closed structure on Set” itself, 
(ly(m), X])(n) = X(n+m). This also connects with (3), since (> X) = y(1)@X 
and (<X) = [y(1), X]. 


4.2 Free models and monads 


Strong monads are of fundamental importance to computational effects [21]. 
Algebraic theories give rise to strong monads via free models. 

In slightly more detail, there is an evident notion of homomorphism applica- 
ble to X-structures and 7-models, and thus we can sensibly discuss »/-structures 
and T-models that are free over some collection X € Set of generators. 

Informally, for a theory T we define FX € Set by taking FX (n) to be 
the set of =7-equivalence classes of terms with parameter context a1,...,@n 
whose m;-ary computation variables come from X(m;). More formally, we let 


FrX (n) = {([z1 : Mi,- .., £k : Mg | a1,- . -an F tlaz,c1,---,ek) | cs E X(mi)}/ ~ 


where the equivalence relation ~ allows us to a-rename context variables in 
the term judgements and apply permutation, contraction or weakening to the 
computation context paired with the corresponding transformation of the tuple 
C1,- .., Ck. It is straightforward to make Fr X into a X-structure. 


Proposition 3. 


1. FX is a T-model, and moreover a free T-model over X. 

2. Fy extends to a monad on Set, strong for the Day tensor. 

3. The derivable equality (=r) in a parameterized algebraic theory T is com- 
plete: if an equation is valid in every T-model, then it is derivable in =r. 


A monad T on Set strong for the Day tensor is a monad in the usual sense 
equipped with a strength X @ TY —> T(X @Y), where & is the Day tensor 
defined in Rem. 4. 


Proof (notes). For (3), the monadic unit introduces variables and the bind is 
substitution. (In fact, this is part of an equivalence between such sifted-colimit- 
preserving strong monads and parameterized theories, e.g. [38, §5].) 


Below we will consider explicit syntax-free characterizations of the free models 
for particular scoped theories. 

In the case of a theory without equations, we recover exactly the scoped 
monad of Prop. 1 that was first given in [23]: 
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Theorem 1. Consider signatures for algebraic X and scoped 3” effects with no 
equations, inducing a parameterized algebraic theory T (via Rem. 2). We have 
an isomorphism of monads Fr = (X + (5 o <) + >)”. 


Proof (notes). To see this, we use the description of Fr X(n) as a set of equiv- 
alence classes of -terms with computation variables coming from X. Consider 
the outermost operation of such a term: each of X, (2 o <) and > on the right- 
hand-side corresponds to one of the three possibilities for this operation, al- 
gebraic, scoped or close respectively. Scoped operations bind a parameter and 
close consumes a parameter, hence the need for </> on the right-hand-side: < 
increases the index n by 1 and > decreases it, in keeping with Def. 5. Both </> 
are characterized in Rem. 4 in terms of the Day tensor of Set™. 


4.3 Free models for scoped effects 


We now turn to some concrete models from [23]. To characterize them as certain 
free models of parameterized algebraic theories, we need the following notion. 


Definition 7. X € Set’ is truncated if X(n +1) =9 for alln €N. 


Equivalently, X is truncated if X = [(X(0)). The free model on a truncated X 
corresponds to the case where computation variables can only denote programs 
with no open scopes. This is the case in the development of [23], where if the 
programmer opens a scope, a matching closing of the scope is implicitly part of 
the program. 


Nondeterminism. Recall the parameterized theory for nondeterminism with 
once (signature in Ex. 6 and equations in Fig. 2). It follows from Prop. 3 that 
this theory has a free model on each X in Set, with carrier denoted by To (X) € 
Set’. For X truncated, the free model on X has an elegant description: 


To(X)(n) S List” ™' (X(0)). 
In this case the interpretation of once chooses the first element of a list and 


closing a scope wraps its continuation as a singleton list. Choice is interpreted 
as list concatenation (++), and failure as the empty list ([]): 


once, : To(X)(n + 1) > To(X)(n) once,,({]) = [], once, ([x,...]) =a 
close, : To(X)(n) > To(X)(n + 1) close, (x) = [2] 

orn : To(X)(n) x To(X)(n) > To(X)(n) orn(z1, £2) = z1 H £2 

fail, : 1 > To (X) (n) fail, O = |] 


In fact the model To(X) we just described is the same as the model for 
nondeterminism from [23, Ex. 4.2]: 


Theorem 2. The model for nondeterminism with once from [23, Ex. 4.2], start- 
ing from a set A, is the free model on [A € Set for the parameterized theory 
of nondeterminism with once (Fig. 2). 


Proof (notes). We obtain a description of the free model by directing the equa- 
tions from Fig. 2 and computing the normal forms. Then we specialize to [ A. 
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Exceptions. Recall the parameterized theory of throwing and catching excep- 
tions introduced in Ex. 7 and (9-11). For truncated X € Set, the free model 
of the theory of exceptions has carrier: 


T.(X)(n) = X(0) + feo,..-,€n} 


where en—; corresponds to the term (in normal form) that closes i scopes then 
throws. 

To define the operations catch,, and close, we pattern match on the elements 
of T.(X)(n + 1) using the isomorphism Te(X)(n + 1) = Ty (X)(n) + {en41}.- 
Below, x is an element of T.(X)(n), standing for a computation in normal form: 

catch, : Te(X)(n + 1) x Te(X)(n + 1) > Te(X)(n) 


catch, (a, —) = x, catchy(€n41, £) = £, catchy (€n11, Cn+1) = en 


close, : Te(X)(n) > Te(X)(n +1) closen (x) = x 
throw, : 1 > T.(X)(n) throw, () = en 
The cases in the definition of catch, correspond to equations (11), (9), (10) 


respectively. In the third case, an exception inside n + 1 scopes in the second 
argument of catch becomes an exception inside n scopes. 


Theorem 3. The model for exception catching from [23, Ex. 4.5], which starts 
from a set A, is the free model on | A € Set for the parameterized theory of 
exceptions (9-11). 


State with local values. Recall the parameterized theory of mutable state 
with local values in Ex. 8 and its equations (12-17). The free model, in the sense 
of Prop. 3, on a truncated X € Set has carrier: 


T(X)(0) = 2 => X(0) x 2 T(X)(n +1) =2 > T(X)(n) 
The operations on this model are 


local’, : T(X)(n +1) > T{(X)(n) local’, (f) = (fz) 
(f) = 


close, : Ty(X)(n) > Ti(X)(n + 1) close, (f) = As. f 
get 2 T(X)(n)? 3S HIDE) pedo fe s s=0 
gs otherwise 


Notice that the continuation of local’ uses the new state i, whereas close discards 
the state s which comes from the scope that is being closed. 

If we only consider equations (12-16), omitting (17), the carrier of the free 
model on a truncated X € Set’ is: 


Tj (X)(0) =2 > X(0)x 2=T7(X)(0), T(X)m4+1)=2 > 7 (X)(n) x 2 
In fact, T/(X) is the model of state with local proposed in [23, 87.1]: 
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Theorem 4. Consider the example of state with local variables from [23], spe- 
cialized to one memory location storing one bit, reading the return type a as a set 
A. The model proposed in [23, §7.1] is the free model on | A for the parameterized 
algebraic theory with equations 12-16. 


The interpretations in Tı(X) and T/(X) (i.e that of [23]) of programs with 
no open scopes agree: 


Proposition 4. Consider a fixed context of computation variables l = (ax, : 
0, ...,2n : 0) and a truncated X € Set. For any term T | — F t, the following 
two interpretations coincide at index 0: 


Ino, = tly, : (LX) (0)” > T(X)(0), 
under the identification T(X)(0) = T/(X)(0). 


The restrictions of to computation variables that do not depend on parameters 
and of A to be empty are reasonable because in the framework of [23], only 
programs with no open scopes are well-formed. Therefore, only such programs 
can be substituted in t, justifying the restriction of [¢]7/(x) to index 0. 


5 Summary and research directions 


We have provided a fresh perspective on scoped effects in terms of the formal- 
ism of parameterized algebraic theories, using the idea that scopes are resources 
(Rem. 2). As parameterized algebraic theories have a sound and complete alge- 
braic theory (Props. 2, 3), this carries over to a sound and complete equational 
theory for scoped effects. We showed that our fresh perspective recovers the 
earlier models for scoped non-determinism, exceptions, and state (Thms. 2-4). 

Here we have focused on equational theories for effects alone. But as is stan- 
dard with algebraic effects, it is easy to add function types, inductive types, 
and so on, together with standard beta/eta theories (e.g. [25],[38, §5]). This can 
be shown sound by the simple models considered here, as indeed the canonical 
model Set is closed and has limits and colimits. 

Our fresh perspective opens up new directions for scoped effects, in theory 
and in practice. By varying the substructural laws of parameterized algebraic 
theories, we can recover foundations for scoped effects where scopes (as resources) 
can be reordered or discarded, i.e. where they are not well-bracketed, already 
considered briefly in the literature [23]. For example, the parameterized algebraic 
theory of qubits [38] might be regarded as a scoped effect, where we open a scope 
when a qubit is allocated and close the scope when it is discarded; this generalizes 
traditional scoped effects as multi-qubit operations affect multiple scopes. 
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Abstract. We extend intersection types to a computational A-calculus 
with algebraic operations à la Plotkin and Power. We achieve this by 
considering monadic intersections—whereby computational effects appear 
not only in the operational semantics, but also in the type system. Since 
in the effectful setting termination is not anymore the only property of 
interest, we want to analyze the interactive behavior of typed programs 
with the environment. Indeed, our type system is able to characterize 
the natural notion of observation, both in the finite and in the infinitary 
setting, and for a wide class of effects, such as output, cost, pure and 
probabilistic nondeterminism, and combinations thereof. The main tech- 
nical tool is a novel combination of syntactic techniques with abstract 
relational reasoning, which allows us to lift all the required notions, e.g. 
of typability and logical relation, to the monadic setting. 


1 Introduction 


Type systems are a key aspect of programming languages, ensuring good behavior 
during the execution of programs, such as absence of errors, termination, or 
properties such as productivity, safety, and reachability. Additionally, they ensure 
it in a compositional way, that is, if programs are assembled according to the 
underlying type discipline, then the good behavior is ensured also for the composed 
program. 


Intersection Types. Type systems have solid roots in logic and proof theory, 
as witnessed by the Curry-Howard correspondence between simple types and 
intuitionistic natural deduction. However, in the theory of the A-calculus, there is 
another use of types that has been studied at length: intersection types. They were 
introduced by Coppo and Dezani-Ciancaglini in the late 70’s [16] to overcome 
the limitations of Curry’s type discipline and enlarge the class of terms that can 
be typed. This is reached by means of a new type constructor, the intersection. 
In this way, one can assign a finite set of types to a term, thus providing a form 
of finite polymorphism. 

Similarly to simple types, intersection types ensure termination. In contrast 
to most notions of types, however, they also characterize termination, that is, 
they type all terminating A-terms. They can be seen as a compositional way of 
defining operational semantics, or, in a dual way, as a syntactic presentation of 
© The Author(s) 2024 
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denotational models. Additionally, intersection types have shown to be remarkably 
flexible, since different termination forms can be characterized by tuning details 
of the type system (e.g., weak/strong full normalization, head /weak/call-by-value 
evaluation). Termination being only semi-decidable, type inference cannot be 
decidable, which is why standard intersection types are somewhat incompatible 
with programming practice, although some restricted forms of intersection types 
have found applications in programming, see for example [33]53[34[28], or the 
recent survey by Bono and Dezani-Ciancaglini [12]. 


Beyond the Pure A-Calculus. Intersection types have been mostly developed 
in the realm of the pure A-calculus. However, current programming languages are 
deeply effectful, exhibiting several simultaneous impure behaviours, such as rais- 
ing exceptions, performing input/output operations, sampling from distributions, 
etc. Reasoning about effectful programs becomes a challenging goal since their 
behaviour becomes highly interactive, depending on the external environment. 
Type-based techniques seem very interesting in this respect, since they enable 
modular and compositional analysis of program behaviour. In particular, inter- 
section type systems have already been successfully adapted to some concrete 
computational effects, such as probabilistic [[3[18], and pure nondeterminism [65]. 
In spite of the remarkable results achieved by each of these formalisms — for 
instance, probabilistic intersection types have been proved to characterize almost- 
sure termination — all of these come with a major drawback: they are tailored to 
the specific family of effects considered. This results in a lack of robustness and 
modularity when it comes to extending languages with new effects. For instance, 
probabilistic intersection types as they are, cannot cope with, e.g., languages 
with both randomness and output. This problem can be fixed (output is a well- 
behaved effect that nicely interacts with probabilistic nondeterminism) but in 
highly non-modular way. One has, in fact, to re-engineer the whole theoretical 
framework behind probabilistic intersection types to account for output, too. 
Now, the leading question is: can intersection types be scaled up in the case 
of effectful X-calculi, in a modular way? In this paper, we answer this question in 
the affirmative by developing a general monadic intersection type system for an 
untyped computational A-calculus with algebraic operations à la Plotkin 
and Power [57]. In fact, our system covers both finitary and infinitary effectful 
operational behaviours in a sound and complete way, and generalises existing 
effectful intersection type systems, such as probabilistic intersection types. To 
achieve this result, we combine state-of-the-art techniques in monadic semantics, 
intersection types, and relational reasoning, in a novel and nontrivial way. 


Monadic Semantics. As we have already mentioned, our work is grounded on 
the theoretical framework pioneered by Moggi [50[51], which describes computa- 
tional effects via monads [49]. Moggi’s work described how monads could give 
denotational semantics to effectful programs, but did not tell anything about how 
computational effects are actually produced. Plotkin and Power introduced 
algebraic effects as a way of giving monadic semantics, in the style of Moggi, to 
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certain operations which actually produce computational side effects. The core 
syntax of effectful languages can be thus given in terms of computational calculi 
with effect-triggering operations. But what about the operational semantics and, 
most importantly, the (intersection) type system? 

There is a well-known way to give effectful operational semantics to program- 
ming languages, namely making operational semantics effectful itself. That is, 
if we model the operational semantics of a language using a transition relation 
between terms, then we can make such a relation monadic by relating terms 
with monadic terms, i.e. terms encapsulated by a monad, encoding the effects 
produced during the computation. Such relations—i.e. relations of the form 
RCAxT(B), with T a monad—are known as monadic or Kleisli relations and 
have been successfully used to give operational semantics to monadic calculi ; 

What about the type system? In its bare essence, it is given by a relation 
between terms and types, hence leading to a situation similar to the one of 
operational semantics. The analogy is no coincidence: as we obtain monadic 
operational semantics relying on the theory of monadic relations, the very same 
theory allows us to define monadic type systems: a monadic typing relation 
associates terms with monadic types. This idea has already been exploited by Dal 
Lago and collaborators [13[18], who realised that to extend intersection types 
to probabilistic languages one has to type expressions not with types, but with 
distribution of types|?] This is nothing but a monadic typing relation instantiated 
to the distribution monad. 


Relational Reasoning. Working at the abstract level of monadic relations gives 
several advantages, both in terms of modularity and expressiveness. Concerning 
the former, we shall develop abstract proof techniques that allow us to give proofs 
of subject reduction and expansion independently of the underlying monad. 
Such factorization results rely on the theory of (monadic) relational extensions. 
Here, one studies how to extend a monadic relation R C A x T(B), such as 
the one modeling one-step operational semantics, or typing between terms and 
monadic types, to a relation Rt C T(A) x T(B), necessary to model operational 
semantics, or typing, of monadic terms. Such extensions, even if canonical, do 
not exist in general, and a celebrated result by Barr gives necessary and 
sufficient conditions for the existence of relational extensions: monads must be 
weakly cartesian [7115]. Intuitively, being weakly cartesian means that during 
the evaluation there is no loss of information about the performed effects. This is 
a form of reversibility, that is needed, e.g., in subject expansion, 

This restriction rules out from our analysis monads such as the powerset 
or the distribution monad. Although that may appear as a weakness of our 
framework, it actually exploits a nontrivial limitative result that has already been 
observed in different forms in the literature: results involving forms of reversibility, 
such as subject expansion, are simply not available when monads are not weakly 


4 Actually, as we will show in Section [4] distributions do not behave well in this case. 
This is why in convex sets of distributions are used. Multidistributions are instead 


used in [I8]. 
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cartesian. This is the deep reason why probabilistic intersection types are defined 
via the multi-distribution, rather than distribution, monad. Remarkably, the 
same kind of limitative result has also been proved in the setting of monadic 
operational semantics and rewriting [86]. 


Contributions. In this paper, we introduce the first (to the best of our knowl- 
edge) intersection type system handling the computational A-calculus with alge- 
braic operations. This is done by letting not only terms, but also intersection 
types be monadic. The main idea of intersection types is that they are a static 
way to describe the mechanism of evaluation of programs. Since the operational 
semantics of effectful languages can be conveniently described by evaluation 
inside monads, it is natural to embed also intersection types inside them. This 
way, we are able to push forward the correspondence between intersection type 
derivations and term evaluation to the effectful/monadic setting. More precisely, 
we develop several contributions and theoretical advances: 

— The Type System: We provide the first idempotent] intersection type system 
for a A-calculus with algebraic operations which is parametric in the underlying 
monad. We design the type system in such a way that not only terms, but 
also types become monadic. 

— Characterization of Observable Behavior: Differently from the pure untyped 
setting, in which intersection types characterize (different forms of) termi- 
nation of programs, in the effectful setting we would like to characterize via 
the type system all the effects produced during the evaluation. Indeed, we 
obtain such a result by generalizing standard soundness and completeness the- 
orems, via abstract relational techniques. In particular, observable behaviors 
of typable (i.e. all the terminating) terms can be read out of their types. 

— Intrinsic Limits: Our approach comes with the already described intrinsic 
limits about the class of well-behaving monads (the weakly cartesian ones). 
Moreover, if one sticks with the finitary case, where the natural notion of 
convergence is must termination, another restriction on the kinds of admissible 
operations is needed. Indeed, also operations that erase arguments break 
the subject expansion, and thus the completeness of the system. Still, this 
restriction can be removed considering an infinitary semantics. 

— The Infinitary Case: Some interesting notions of observation, such as the 
probability of convergence in probabilistic calculi, are naturally infinitary. 
For this reason, we extend our type system to capture infinitary behaviors. 
Interestingly, we need to add just one typing rule to the previous (finitary) 
system, namely the one that can type every term with the bottom of the monad. 


5 The choice of the idempotent variant of intersection types should not be taken too 
strictly. All the results of the paper hold also turning intersections into multisets, 
mutatis mutandis. Moreover, the meta-theory in the idempotent case is more involved 
(requiring logical relations to prove soundness), and we show this way the strength of 
our approach. Still, it is not an exercise of style, because intersection type systems 
used to formalize higher-order model checking algorithms (see Sec. [7| for a more 
detailed discussion) must be idempotent, since otherwise one would lose decidability. 
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Naturally, this extension requires the monads to satisfy more conditions 
(mainly domain theoretic ones). Remarkably, this way we are actually able 
to relax the constraint on non-erasing operations introduced in the finitary 
system. 


Related Work. To the best of our knowledge, this is the first work about 
monadic intersection type systems for effectful calculi with algebraic operations, 
which are parametric on the underlying monad. On an orthogonal axis, an 
intersection type system for a variant over Moggi’s computational A-calculus, but 
without any reference to algebraic operations, has been proposed in [25], while 
intersections types have developed for calculi with continuations in [9] and, paired 
with union types, in [45]. With concrete monads, instead, various proposals have 
appeared for the state monad [29]26]27[5], and the distribution monad [BI[13]T8}. 
Moreover, lifting the monad to the type system has already been done in a 
series of works by Dal Lago and coauthors, e.g. to analyze complexity and 
recently for the state monad in [5]. More on the programming side, intersection 
types have been proposed for a A-calculus with computational side effects and 
reference types in [23], but without any reference to monads. 


Proofs. Omitted proofs are in the technical report |87|. 


2 Intersection Types and the CbV A-Calculus 


We devote this section to a gentle introduction to intersection type systems. 
For the moment, we do not consider effectful calculi and we set our analysis in 
the (almost) standard setting of Plotkin’s call-by-value (CbV) A-calculus [55]. 
Actually, the calculus we present is the kernel of CbV )-calculus, that is as 
expressive as the Plotkin’s [2]32], but allows only a restricted form of term 
application. 


The (kernel) CbV A-Calculus. Given a countable set of variables V, values 
and computations are defined by mutual induction as follows: 


COMPUTATIONS C 5 tru =v | ut 
VALUES V3 v, w ::= g E€ V | Ax.t 
EVAL. CONTEXTSE 3 E :=[|]|vE 


Free and bound variables are defined as usual: Ax.t binds x in t. Terms are 
considered modulo a-equivalence. Capture-avoiding (meta-level) substitution of 
u for all the free occurrences of x in t is written t{x/u}. As it is customary when 
working in the CbV setting, we restrict ourselves to closed terms, i.e., we consider 
only terms without free variables. This means that the normal forms are all and 
only the closed values, noted Y°, i.e. the A-abstractions. The traditional ( rule is 
restricted to values, i.e. only (closed) values can be substituted: (Ax.t)u — t{x/v}. 
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Fig. 1: The intersection type system for closed call-by-value. 


The deterministic operational semantics +> is obtained by closing the 8 rule (by 
value) — w.r.t. all evaluation contexts. Please notice that although we restricted 
term application to have a value as the left subterm, we can recover the usual 
application between terms as tu := (Ax.xu)t, where x is a fresh variable. 


Intersection Types for the CbV A-Calculus. The CbV A-Calculus is a uni- 
versal, i.e. Turing complete, model of computation. This way its halting problem 
is obviously undecidable. Nonetheless, terminating terms can be characterized by 
syntactic means. Intersection types are one way of doing this, in a compositional 
and logical way. The grammar of types is reminiscent of the call-by-value transla- 
tion (-)” of intuitionistic logic into linear logic [38130] (A > B)" = (A) — !( B”). 
Semantically, they can be seen as a syntactical presentation of filter models of the 
A-calculus [I7]. The grammar for types is based on two layers of types, defined in 
a mutually recursive way, value types A, and intersections (i.e. sets) I of value 
types. 
VALUE TYPES ASA z=I> J 
INTERSECTIONS 13 I,J ::= {Aj,..., An} n>0 


TYPES C> G z=A]|T 


Remark 1. Please notice that intersections can be empty. The empty intersection 
type 0 := {} stands for the type of erasable terms, which in Closed CbV are just 
those terms evaluating to closed values (i.e. A-abstractions). In CbV, terminating 
terms and erasable terms coincide, as the argument of a -reduction has to be 
evaluated before being erased (and so its evaluation has to terminate). 


Type environments, ranged over by I’, A, are total maps from variables to 
intersection types such that only finitely many variables are mapped to non-empty 
intersection types, and we write I = 21: ),...,%: In ifdom(L) = {x1,...,an}. 
Type judgments have the form I’ t: G. The typing rules are in Fig.}1| where F 
stands for a finite, possibly empty, set of indexes; type derivations are written 7 
and we write 7 > I F t: G for a type derivation m with the judgment [F t: G 
as its conclusion. 

Intuitively, intersections are needed because, during the evaluation of a term 
t, a subterm of t can assume different types. For example in (Axv.rx)(Ay.y), the 
argument Ay.y has type 0 > 0, when it substitutes the first occurrence of x in 
functional position, and has type 0 when it substitutes the second occurrence 
of x in argument position. These different uses, which require different types, 
are encoded into the intersection type. Moreover, the type system, contrarily to 
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(ia}Fy:ia |) —— vr 

yi fi y:i ; - 
VAR INT) —— mr ç 2 OF 2:0, 
av: {id} w:id vz: f{id}F «2:0 y : {id} F y : {id} EEF 3 
APP ABS INT 

a: {id} «exr:0 F- Ay.y: {id} > {id} F- Xz.z: {id} 
— ABS APP 
F Aw.vx: {id} > 0 F (Ay-y)(àz.z) : {0 + 0} 
APP 


F (Aw.xax) (Il): O 


Fig. 2: Type derivation for H (Ax.xx)(II) : 0. We set id := 0 —> 0. 


what happens in call-by-name, and consistently with the rationale of CbV, needs 
arguments of applications to be typed (with an intersection) just once. 


Example 1. We provide the type derivation for the term F (Aa.aa)(II) : 0, where 
| := Agx.x,in Fig. B] One can notice that our example term, being CbV-normalizing, 
can be typed with 0. 


Characterization of Termination. Intersection types characterize Closed 
CbV termination, that is, they type all and only those A-terms that terminate 
with respect to Closed CbV. We give a very brief overview of how this result is 
achieved. In the following sections, we shall prove all these results in the effectful 
setting. The reader could, however, benefit from the exposition of the main steps 
in this simpler setting. 

Similarly to more traditional type systems, this intersection type system 
enjoys subject reduction, i.e. types are preserved under reduction. 


Lemma 1 (Subject Reduction). Lett be a closed \-term. If- t: I andt > u, 
thenF u: I. 


Moreover, as with simple types, all typable terms terminate. 


Proposition 1 (Soundness). Let t be a closed \-term. If} t: I, then t has 
normal form. 


Contrarily to simple types, intersection types satisfy also subject expansion. This 
means that types are preserved also by backward reductions (i.e. expansions). 


Lemma 2 (Subject Expansion). Let t be a closed X-term. If- u : I and 
trou, then t: I. 


Together with the fact that normal forms, i.e. A-abstractions, can always be 
typed with the empty type 0, this gives the completeness of the type system, i.e. 
the fact that every terminating term is typable. 


Proposition 2 (Completeness). Let t be a closed X-term. If t has normal 
form, then there exists an intersection type I such that t: I. 


Putting soundness and completeness together, we obtain the full characterization 
of termination via typability. 


Theorem 1 (Characterization). Lett be a closed \-term. Then there exists 
an intersection type I such that t: I if and only if t has normal form. 
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3 Preliminaries on Monads, Algebraic Effects, Operations 


In this section, we recall some preliminary notions on monads [49], algebras [60], 
and relational reasoning [61], that will be central to the rest of this paper. Due 
to space constraints, there is no hope to be comprehensive, and thus we assume 
the reader to have minimal familiarity with those fields. Unless explicitly stated, 
we work in the category Set of sets and functions and we tacitly restrict all 
definitions to it. Since we will extensively work with relations, we employ the 
relational notation even for functions, writing f;g:A— C for the composition 
(in diagrammatic order) of f : A> Band g : B>C, and 1,4: A —> A (mostly 
omitting subscripts) for the identity function. 


Monads and Algebraic Effects. We use monads [50[51] to model computa- 
tional effects. 


Definition 1 (Monad). A monad (on Set) is a triple (T,n, 4) consisting of 
a functor T (on Set) together with two natural transformations: n : Iset > T 
(called unit) and p : TT = T (called multiplication) subject to the following 
laws: n; u = T(n); = 1 and T(u); p = p; p- 


Given a monad (T,nņ, u) we oftentimes identify it with its carrier functor. 
Moreover, we write f : T(A) —> T(B) for the Kleisli extension of f : A + T(B), 
where ft := T(f); u, and >= for the binding operator induced by —'. Such an 
operator maps a monadic element t € T(A) and a monadic function f : A > T(B) 
to the monadic element t >= f in T(B) defined as ft (t). It is well-known that using 
this construction a monad could be presented also as a Kleisli triple (T, n, —'), 
or with the bind operation instead of u, i.e. as (T, n, >=) [ZO]. 

To model how actual effects are produced, Plotkin and Power intro- 
duced the notion of an algebraic operation, which we shall use to make calculi 
truly effectful. 


Definition 2 (Algebraic Operation). Given a monad (T,n, u), an n-ary 
algebraic operation is a natural transformation a : T” => T respecting the monad 
multiplication. 


From an operational perspective, algebraic operations describe those operations 
whose execution is independent of the context in which they are executed. 


Example 2 (Concrete Monads and Operations). 


1. Divergent computations are modelled by the maybe or partiality monad 
(E;n, u), where €(A) := A+ {L}, 7 is the left injection tz, and u : ((A + 
{i})+{1L}) > A+ {1} sends ce(tg(x)) to t(x), and all the rest to L. 
Therefore, an element in MA is either an element a € A (meaning that we 
have a terminating computation returning a), or the element L (meaning 
that the computation diverges). As non-termination is an intrinsic feature of 
complete programming languages, we do not consider explicit operations to 
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produce divergence. Nonetheless, notice that we might consider the constant 
L as a zero-ary operation producing divergence (linguistically, this essentially 
corresponds to adding an always diverging constant diverge). 


. Replacing {1} with a set of errors Err, we obtain the exception monad. 


Exceptions are produced by means of 0-ary operations raise, indexed by 
elements in Err. 


. Probabilistic computations are modelled by the (finitary) distribution monad 


(D,n, u), where D(X) is the set of distributions over X with finite support 
(where the support of a distribution d € D(X) is defined as supp(d) := {x € 
X such that d(x) > 0}), n(x) is the Dirac distribution on x, and p(®)(x) := 
>. (o) : (2). Finite distributions are produced using weighted sums, i.e. 
(0, 1]-indexed binary operations +, defined thus: ($1 +p ¢2)(#) := p - ġı (x) + 
(1 — p)- ¢2(x). In a similar fashion, one defines the finitary subdistribution 
monad DS! and the countably supported (sub)distribution monad DIS), In 
the former case, we simply allow distribution to have weight smaller than 1, 
whereas in the latter case, we allow distributions to have a countable support 
(i.e. the set of elements where the distribution is non-null must be countable). 


. Computations with output are modelled by the writer or output monad 


(W,7, u), where WA = W x A and (W,1,-) is a monoid. Unit and multi- 
plication are defined by n(x) = (1,2) and p(w, (v,2)) = (w-v,x). Taking 
the monoid of words, then we can think of (w, x) as the result of a program 
printing w and returning zx. If, instead, we take the monoid (N, 0, +), then we 
obtain the cost or complexity monad [59], whereby we read (n, x) as the result 
of a computation that produces x with cost n. We consider a W-indexed 
family of unary operations out,, defined by out,,(v,2) = (w v, x). These are 
indeed algebraic. When dealing with cost, one usually considers the single 
operation out, usually written tick or simply Vv. 


. We model nondeterminism using the powerset monad (P, 7, p), where n(x) = 


{x} and (U) = UU. We generate nondeterminism using (binary) set-theoretic 
union, which is indeed algebraic. The finitary powerset monad Py is obtained 
from P by taking as underlying functor the finite powerset functor Py. Sim- 
ilarly, the non-empty powerset monad P* is obtained by the taking the 
non-empty powerset functor PT. 


Most monads seen in Example [2] have countable support in the sense that 


whenever t € T(A) there exists a countable set supp(t) C A upon which t is 
built. Such a set is called the support of t and generalises the notion of a support 
one has for distributions. In general, not all monads have support and thus we 
restrict our analysis to such monads. First, we consider only monads that preserve 
injections: that is, if: X © A is an injection, then so is T(v) : T(X) > T(A). 
We regard T(v) as a monadic inclusion and write t € T(X) if there exists (a 
necessarily unique) s € T(X) such that T(v)(s) = t. Notice that all monads of 
Example [2] preserves injections and that if a monad preserves weak pullbacks (a 
condition we shall exploit in Section 4}, then it preserves injections. 


Definition 3 (Support). 
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1. Given an element t € T(A), the support of t, if it exists, is the smallest subset 
L: X > A such that t € T(X). We denote such a set by supp(t). 

2. We say that a monad T has countable (resp. finitary) support if any t € T(A) 
has countable (resp. finite) support — i.e. supp(t) exists and it is countable 
(resp. finite) — for any set A. 


Example 3. All the monads in Example [2|are countable, with the exception of the 
(non-finitary) powerset monads. Nonetheless, we can regard them as countable 
by taking their countable restriction. Indeed, as we shall apply them to countable 
sets (of terms), such a restriction is by no means a constraint. The output monad, 
the maybe monad, the finitary (sub)distribution monad, and the finitary powerset 
monad all have finitary support. For example, let us take the set D(N) of the 
probability distributions on natural numbers. If D(N) 3 d := $ -5, f -7, applying 
the definition of support stated above, we obtain that the smallest set X such 
that d € D(X), which is X = {5,7}. This set matches exactly the one obtained 
from the standard definition of support for probability distributions given in 


Example 


Algebraic Theories. Since effects are ultimately produced by algebraic opera- 
tions, we oftentimes describe computational effects by means of algebraic theories, 
i.e. via a collection of operations and equations. 

Recall that a signature X is a family of sets {Xp }ken, the elements ø, p,... 
of each Xp being called k-ary operations. The set Ts(X) of X-terms (just 
terms) over X is the least such that (1) £z € Ty(X) for any x € X, and (2) 
o(ti,...,tn) E€ Ty(X), whenever t1,...,t, E€ Ty(X). The construction of X- 
terms defines a functor Ts which is part of a monad whose unit is given by the 
subset inclusion injection 1: X © TsX and whose multiplication is given by 
term substitution. 

An algebraic or equational theory over Ts(X) is given by a relation E C 
Ts(X) x Ty(X) of equations between such terms. For a theory E, we write ~g 
(or just ~) for the least congruence relation on terms that is closed under term 
substitution and contains Æ. The free E-theory over X is the quotient of Ts (X) 
by ~p. This construction gives a functor which is part of a monad, called the 
free theory monad of E. 


Example 4 (Concrete Algebraic Theories). 


1. The theory of divergence has a single 0-ary operation and no equation. Its 
free theory monad gives the maybe monad. 

2. The theory of nondeterminism consists of a single binary operation V together 
with the usual join semilattice equations [I]. Its associated free theory monad 
gives the finitary non-empty powerset monad. If we drop the idempotency 
equation x V x ~ x, we obtain the theory of multisets [64] and the associated 
multiset monad. If we also drop commutativity, we obtain the theory of lists 
and the associated list monad. 
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3. The theory of probabilistic nondeterminism has binary operations +p indexed 
by rational numbers 0 < p < 1 subject to the usual axioms of a barycentric 


algebra [63]: 
Ltp@r~ T; z +1 Y ~ T; E+py~Yti-p T; 


T +p (Y +q 2) ~ (£ +e Y) tp+(1-p)q 2- 
The free theory monad of this theory gives the finitary distribution monad. The 
theory of multi-distribution or indexed valuations (and their corresponding 
monads) [76766], is obtained by dropping the idempotency axiom z +p% ~ X. 
4. Fixing a monoid W, the theory of the writer monad has a unary operation 
out, for each w € W, and equations 


outi (x) ~ x outu (out, (x)) ~ outw. (z). 


Relations. We will extensively work with relations. We denote by Rel the 
category with sets as objects and binary relations as arrows. As it is customary, 
we use the notation R : A + B for a relation R C A x B, and write Rel(A, B) 
for the collection of relations of type A + B. We tacitly regard each function 
f as a relation via its graph and write 14 : A + A for the identity relation, 
the latter being the graph of the identity function. We furthermore denote by 
R;S:A+C the composition of R: A+ Band S : B >» C, and by R?: BHA 
the dual or transpose of R: A + B. 


4 Monadic Intersection Types 


In this section, we present the monadic extension of the intersection type system 
for CbV presented in Section [2] 


Effectful CbV. The target calculus of the remaining part of this work is an 
effectful extension of the CbV A-calculus previously introduced. We follow the 
methodology of algebraic effects [57] and fix a signature X of effect triggering 
operations, as seen in the previous section. The calculus APY is obtained by 
extending the grammar of the (kernel) CbV )-calculus as follows: 


Crtun=--- | op(ty,...,tn) 


As before, we denote by C° and V° the collection of closed computations and 
values, respectively. Finally, we write R° for the subset of C° of redexes, i.e. 
computations of the form (Ax.t)v or op(ti,...,tn). 

We give an operational semantics to ASY in monadic style [56186]. Let (T, n, p) 
be an arbitrary but fixed monad with countable support. We assume that to each 
n-ary operation op € X it is associated a n-ary algebraic operation gop on T. 

We define a function +: C° + T(C°) on closed terms that performs a single 
computation step (possibly performing effects) by first defining ground reduction 
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and then closing the latter under evaluation contexts. To improve readability, we 
write t > e in place of +(t) = e and we refer to elements in T(C) (resp. T(V)) 
as monadic (or effectful) computations (resp. values). 


Definition 4 (Operational Semantics). We define the function =: R° UY? > 
T(C°) as follows: 


(Ar.t)v = n(t{x/v}) 
op(ti, ew stn) m Jop(n(t1), ri (tn) 
v => n(v) 


The function œ : C° — T(C°) is then defined as the contextual closure of —, i.e. 
Ejr] = e»=(Au.n(Elul)), where r is a redex and r — e. 


In this last definition the symbol X has to be intended as a meta-lambda 
notation, i.e. by Nu.n(E[u]) we mean the function h : C° + T(C€*) such that 
h(u) := n(E[u]). In particular, in the definition of the contextual closure we 
exploit the algebricity of the effects, making them commute with evaluation 
contexts. Moreover, notice that +> is indeed a function. Consequently, we can 
rely on its Kleisli extension œt to reduce monadic computations. We write +” 
for the n-iteration of œ, where =° := ņ and =”+! := +5;(4")!. In a similar 
fashion, we write +»* for U,, >”. Please notice that since algebraic operations 
are finitary, all monadic computations that a computation t can achieve in finite 
times have finite support, meaning that t+>* e implies that supp(e) is finite. 


Definition 5 (Finitary Convergence). We say that a closed computation t 
converges if there exists e € T(C*) such that t =>* e and supp(e) C ve] In that 
case, we write |t] = e. 


Please notice that [-] is a partial function. Indeed, terms can diverge. 


The Monadic Type System. The main idea behind the development of the 
type system is that not only terms, but also intersection types become monadic. 
The natural design choice is to follow the informal CbV translation of intuitionistic 
logic into linear logic combined with Moggi’s translation: 


A> B !A — T(!B) 


A third level of (monadic) types is then added to the grammar of types: 


VALUE TYPES A> A:=I>M 
INTERSECTIONS DST == {4A1,... Anj n>0 
MONADIC TYPES M,N 3M := T(1) 
TYPES CƏG:=A|I|M 


6 To be formally precise, here we should say that supp(e) belongs to the image of V° 
into C°. In order to maintain the work as readable as possible, we will be sloppy and 
here (and in similar situations) simply identify V° and its image in C°. 
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AcI (rev: I; > Mihicicn Cet: N_ supp(N) C {lh,..., In} 
————— VAR APP 
T,e:Iba:A Dr vt: N >= ({li > Mi}ici<n) 

T,a:ITet:M [DF ti: Milici<n 
—__—_________ ABS oP 
Tr Aa.t: I+ M I+ op(ti,...,tn) ! Jop(Mi,-..,Mn) 

[Ph v:Aiier Devil 
— ~ Int ———— UNT 
Dbv: {Aihier Drv: (1) 


Fig. 3: The monadic intersection type system. 


We maintain all the notations already presented in Section [2] for the CbV 
type system. The typing rules are in Fig. |3| While rules ABS, VAR and INT are 
almost unchanged, the other rules deserve some comments. The rule UNIT is 
needed to give a monadic type to values. Since values do not produce any effect, 
they are injected into the monad just with 7. Rule APP types applications vt with 
a monadic type. The important point is that the subterm v in function position 
has to be typed many times, one for each element in the support of the (monadic) 
type of the argument t. Please notice (i) that with the notation {J; > Mi}i<i<n 
we mean the function that maps pointwise J; to M; for each 1 < i < n; and (ii) 
the >= operator at the level of types. This should not come unexpectedly, since 
types are monadic, and thus are composed using monadic laws. In particular, 
the effects produced by the argument, encoded in its type, have to be composed 
with the effects that will be generated by the rest of the computation (see the 
example below for more intuitions). Finally, rule OP types operations with the 
monadic type built with the corresponding algebraic operation, applied to the 
(monadic) types of the arguments of the operation itself. 


Example 5. We provide in Fig. [4] the derivation for H (Ax.x(outp(x)))(outa(ll)) : 
(ab, 0), which is the very same term as in Example |1| decorated with output 
operations. As monoid of words, we consider the monoid X* freely generated 
from the alphabet X := {a,b}. One can notice that the assigned type contains 
all the information about the symbols printed on the output buffer during 
the evaluation of the term. Please notice how types are composed in the last 
rule APP. The right-hand side is typed only once, since the support of the 
monadic type on the left-hand side is a singleton. Notice that the bind operator 
d=: Wx X > (X > WxX) > WxX in the case of the output monad is defined 
as: (a, 2)>=f := (ab, y) if f(x) = (b, y). Intuitively, the usual composition is done, 
but for the fact that the strings (a and b in this case) are concatenated. 


Relational Reasoning. To prove soundness and completeness of the monadic 
type system, we will need to reason both about expressions and monadic expres- 
sions. In fact, as long as we are interested in reduction sequences we have to 
deal both with terms, to start the sequence, and with their (monadic) reducts, 
to continue the computation. Working with monads, we have already seen that 
we can extend the dynamic semantic of A® to monadic computations, for free. 
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UNIT 
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F àz.z : id 

F- Xz.z: {id} 
n: F Az.z:n({id}) 


ABS 
INT 


UNIT 


eo a = VAR 
y: {id} F y: id ve 
Ter rs aa y: {id} F y : {id} 
EE UNI UNIT 
; x : {id} F x: (0) y: {id} F y : n({id}) ; 
VAR OP ABS 
æ: {id} F g:id a: {id} F outs (x) : (b, 0) i F- Ay.y : {id} > n({id}) T rn 
x : {id} F x(out,(ax)) : (b,0) ee F (Ay.y)(Az.z) : n({id}) 
F Ax.x(outp(x)) : {id} — (b, 0) F outa(ll) : (a, {id}) ne 


F (Aw.a(out,(x)))(outa (Il) : (ab, 0) 


Fig. 4: Type derivation for F (Ax.a(out,(x)))(out,(Il)) : (ab,0). We set id := 
0 > 7(0) = 0 > (2,0). 


Computations, however, come both with a dynamic and static semantics (i.e. 
types); and if the former semantics (viz. ++) extends to monadic computation 
(as =t), it is not immediately clear how to do the same with the latter. In fact, 
whereas ++ is a function, the static semantics of AS’, given by the typing relation 
F, is genuinely relational, meaning that we cannot rely on the axioms of a monad 
to extend it. 


Relational Extensions. We overcome this problem by relying on the notion 
of a relational extension of a monad [IOJ8[11/14]42)39]. Remarkably, relational 
extensions come with powerful proof techniques, whereby one extends term-based 
results (such as subject reduction and expansion, in our case) to monadic terms 
essentially. All of that, however, has a price: relational extensions cannot be given 
for all monads. As long as we are interested in ‘forward properties’, such as subject 
reduction, it is enough to give a relaxed notion of relational extensions — called 
lax relational extensions — that is available for a large class of monads (such as 
all the ones seen so far). But if we ask for ‘backward properties’, such as subject 
expansion, then we need the full axiomatics of a relational extension. And by a 
well-known result by Barr [10], we know that a monad has a relational extension 
if and only if it is weakly cartesian [7i[15|. From an equational perspective, 
weakly cartesian monads are defined by affine theories [35], meaning that they 
cannot have equations that duplicate variables. This excludes important monads, 
such as the distribution and powerset monads. This way, one has to rely on 
their ‘linearization’ to obtain well-behaved intersection type systems. In the 
case of the distribution and powerset monad one does so simply by dropping 
the idempotency equations from their equational theories, thus obtaining the 
so-called multi-distribution [[8]66]67[7] and multiset monads [64]. It is important 
to stress that this is not a design issue, but an intrinsic limit of the model, as 
shown by Example [8] (below in this section). 
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Lifting the Type System. The type system in Figure [3] defines a dependent 
relation H € [],P(Ar x ©), where A := V + C is the collection of terms of the 
calculus, and Arp is the collection of terms with free variables among I’. Notice 
that H respects syntactic categories, in the sense that since G = A+1+T (1), we can 
see F as the sum of three relations F1 € [ [p P(Vr x A), F2 € [p P(Yr x 1), and 
H3 € J], P(Cr x T(l)). In the following, we shall tacitly use this decomposition. 
Moreover, since type soundness and completeness refer to programs, we will 
mostly work with | restricted to closed terms (i.e. when I is empty): in that 
case, F is just an ordinary binary relation. 

When instantiated to monadic types (and closed computations), the relation 
H C C° x T(I) is a so-called monadic relation [36]. Under suitable conditions on 
monads, monadic relations come with an operation similar to the Kleisli extension 
that allows them to be composed and to regard 7) (seen as a relation) as the unit 
of such an operation. 


Definition 6 (Relational Extension, [10]). A relational extension of a monad 
(T,7, u) is a family of monotone maps ©: Rel(A, B) > Rel(TA,TB) such that: 


1 = 01) &(R); B(S) = O(R; S) 
T(f) = &(f) ®(R)° = (R°) 
R; n = 7; O(R) (P(R)); u = u; (R) 


Replacing = with C, we obtain the notion of a lax relational extension. 


Any monad T comes with a canonical candidate relational extension: its Barr 
extension T. Recall that for each relation R: A +» B, we can regard R as a set 
G(R) C Ax B. In particular, the projections 7, : G(R) > A, m2: G(R) > B give 
R = T; m2. 


Definition 7 (Barr Extension). The Barr extension T of T is defined as 
T(R) = (T(m))°; T (m2). Elementwise, we have ġı TR do iff 


Example 6 (Concrete Barr Exts.). Let R: A > B. 

1. For the powerset monad, we have u PR v iff Yz € u.dy E€ v. x Ry and 
Vy € v.Jx € u. x Ry. A similar definition holds for variations of the powerset 
monad. 

2. For the distribution monad, we have ¢, DR ¢p iff there exists 6 € D(A x B) 
such that X`, B(x, y) = ¢1(2), Xs P(x, y) = aly), and P(x,y) >0 => xRy. 
A similar definition holds for variations of the distribution monad. 

3. The output monad, we have (a,x) W(R) (b, y) if a = b and z Ry. 

4. More generally, if a monad is presented by a theory (X, E), then we have 


t Ts(R) s iff t ~p C[z1,..., £n], s ~m Cly,.--, Yn], and z; R yi, for any i. 


The Barr extension of a monad is not a relational extension, in general. 
However, the Barr extension of a monad is a relational extension iff the monad 
is weakly cartesian [7115]. 


Monadic Intersection Types, Relationally 37 


Theorem 2 ([10]). Recall that a monad (T,n,) is weakly cartesian if (i) 
it preserves weak pullbacks and (ii) all naturality squares of n and u are weak 
pullbacks. If T is weakly cartesian, then its Barr extension is the unique relational 
extension of T. If T preserves weak pullbacks, then its Barr extension is a lax 
relational extension. 


For brevity, we say that a monad is WC—resp. WP—if it is weakly cartesian— 
if it preserves weak pullbacks. 


Example 7. All the monads seen so far are WP. The output and maybe monad, 
additionally, are WC, whereas the powerset and distribution monads are not 
[71], as naturality squares of their unit are not weak pullbacks. If a monad T is 
presented by an affine equational theory [35] (X, E), meaning that all equations 
in E are affine, then it is WC. Consequently, the multiset and multidistribution 
monad are WC. 


Given a monad T and a monadic relation R C A x T(B), we define its Kleisli 
extension Rt C T(A) x T(B) as T(R); p. Using Kleisli extension, we define the 
composition of monadic relations R C A x T(B) and S C B x T(C) as the 
relation R3 S C A x T(C) defined as R; ST. If T is WC (resp. WP), 3 is (lax) 
associative and has 77 as (lax) unit [36/40]. Using the Kleisli extension we can 
design abstract proof techniques ensuring that properties of + with respect to 
the one-step semantics > can be lifted to H? and Hf. 


Proposition 3 ([10]). Let R: A + B be a relation and ® be a laz relational 
extension of a monad T. Then, (i) ®(R) is closed under algebraic operation; 
(ii) B(R) is closed under monadic binding: R;g C f;®(S) implies ®(R);g' C 
ft, B(S). 


The next result will be crucial to prove subject expansion. 
Proposition 4. Let T be WC. Then: f; RÌ CS => ft; RI CST. 


In particular, taking both R and S as the typability relation F C C x T(l) and 
as f the one-step semantic function > : C + T(C), we see that œ; HÌ C F states 
that whenever we have a term t with t> e and a monadic type M with +! e : M, 
then F t: M. This is exactly the statement of the subject expansion theorem 
at the level of term-based evaluation that we shall prove in the next section: if 
t> e and HË e : M, then F t: M. Prop. [4] then implies that subject expansion 
can be extended to full monadic reduction +41: if e +47 e’ and HT e' : M, then 
Hte: M. 

Obviously, Proposition [4] still requires us to prove ++;-! CF, and we would 
like to do so syntactically. Although natural, this relational extension is not 
always possible. The problem lies in the fact that if we assign a monadic type 
M to an element of the form 7(t) via HÝ, there is no guarantee that t itself has 
type M. This becomes problematic when dealing with values. Since a value v 
(regarded as a computation) reduces to 7(v) and our monadic type system assigns 
only types of the form 7(I) to v, provided that F v : I, we need to ensure that 
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any type M such that +'n(v) : M is itself a type of v, and hence of the form 
n(Z). This, however, is not always the case. 


Example 8. Let us consider the distribution monad D and recall that its unit 
maps a point to its Dirac distribution. Let v be a value such that F v : A and 
Hv: B, so that F uv: {A} and F v: {B}. By the very definition of the monadic 
type system, the computation induced by the value v can only have monadic 
types of the form 7(J) (i.e. Dirac distributions 1-7). Yet, the lifted relation HÝ 
gives H'n(v) : i. {A} + 5-{B}, since n(v) =1l-v= 4- v+4- vandt v: {A} 
and H v: {B} entail F} 1-v:1-{A} and Ft 1-v:1-{B}. Consequently, we have 
Ht n(v) : 4- {A} + 4- {B} but we cannot have + v : £- {A} + 4- {B} 


The ultimate source of the problem outlined in the above example is that the 
unit of D is not weakly cartesian. 


Proposition 5. Let T be WC. For any monadic relation RC A x T(B), we 
have n; Rt = R. In particular, n;+! =F. 


The techniques seen so far have been designed to prove subject expansion of 
the monadic type system. As expected, we are also interested in proving subject 
reduction and thus it is natural to design similar proof techniques in that setting. 
This can be easily done following the same path as for subject expansion, but 
with a main difference: subject reduction does not require the unit of the monad 
to be WC, and hence subject reduction results can be proved for a much larger 
class of monads|"] 


Proposition 6. Let T be WP. Then: R°; f C R? => RP; fic Rt. 


In particular, we can instantiate Proposition |6}with R and f ast and >, hence 
obtaining H°; => C HP = H't CHT” meaning that whenever subject 
reduction holds at the level of terms (i.e. F t: M & tm e = Ht e : M), then it 
holds at the level of their (monadic) evaluation (i.e. Ht e: M and e >t e' implies 
Hie’: M). 


Soundness. The proof of soundness of the type system consists in showing: 

1. Subject reduction: types are preserved by reduction. 

2. Termination: all typable terms terminate. 

As we have seen, by Proposition [6] it is sufficient to prove subject reduction with 
respect to the single-step, term-based reduction ++. This is done by induction 
on the structure of evaluation contexts, with the help of a substitution lemma, 
proved by induction on the structure of terms. 


Proposition 7 (Subject Reduction). Let T be WP. Then: 
1. Lett be a closed -term. If- t: M andtre, then HÝ e: M. 
2. Let e be a monadic closed X-term. Iftte:M andes e', then HË e: M. 


Proving termination instead needs more work. 


T Notice that even if 7 is not WC, we still have R;ņn C ;@R (but not the other 
inclusion, which is crucial in Proposition [5p. 
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Effectful Observations. Knowing that typing is preserved by reduction, it 
remains to show that whenever a computation t has type M, its observable 
operational behaviour is fully captured by M. In the pure case, such a behaviour 
is just termination, so that one usually shows that typable terms terminate. In 
the effectful setting, termination can be given in many forms. First, if effects 
capture some forms of nondeterminism, meaning that elements in TA may have 
more than one element in their support, then termination can be divided into 
may or must termination (i.e. whether term reaches monadic expressions with 
one, at least, or all values in their support). In both of these cases, termination 
remains a boolean notion (viz. a predicate). To account for effects it is natural 
to ask not only whether a computation terminates, but also which effects are 
produced during evaluation (e.g. what is stored in memory locations, which are 
the printed outputs, the cost of the computation, etc). A further option is to 
make termination effectful itself, a well-known example of effectful termination 
being almost-sure termination (i.e. probability of convergence). Such notions are 
usually infinitary and require non-boolean reasoning. 

Since here we deal with the finitary case, we agree to observe must termination 
of computations as well as the effects produced during their evaluation. In the 
next section, we shall deal with infinitary evaluation and, consequently, with 
effectful termination. Let us begin by formalising how to observe effects. In a 
monadic setting, it is customary [19[20[21]62], to model (effectful) observables 
as elements of T(X), where X is what is observable of expressions. As we are 
interested in must termination, only values are observable, and, moreover, they 
cannot be scrutinized further (i.e. we observe that a computation gives a result 
(a value), but we cannot inspect such a resulff). 


Definition 8. We define the observation function for monadic objects in T(X) 
as obsx := T(!x):T(X) > T(1), where 1 := {x} and !x : X —> 1 is the unique 
arrow collapsing all the elements of X to x. We extend obs, to a partial function 
on terms by stipulating obs,(t) := obsa (e), provided that |t] = e. 


As usual, we omit subscripts whenever possible, writing obs(e), obs( M), etc. 


Example 9 (Concrete Observations). 


1. The output, or writer, monad W has a notion of observation obs : W(X) > W, 
if W is the underlying monoid of words. This is immediate to see because 
W(1) := W x {x} & W. Then, we have that obs((w,x)) := w. This means 
that what we can observe is the string that has been printed on the output 
buffer during the computation. 

2. The partiality monad € provides a binary notion of observation, indeed 
obs : E(X) —> {x, L}. This is actually the way in which one could observe 
divergence. 

3. The powerset monad P comes with the natural notion of must termination, 
since obs : P(X) — {0,1}. 


8 This is standard in weak, untyped »-calculi. One could add constants, such as 
booleans, or numerals, and then observe their shape, in a straightforward way. 
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Remark 2. According to Definition [8] the observable effects produced by a com- 
putation are elements of T(1). This certainly works well for some effects and 
monads, such as output and cost, but it may be unusual for others. For in- 
stance, probabilistic nondeterminism is usually modelled using (variations of) 
the sub-distribution monad D and, since D(1) S [0,1], it is natural to interpret 
elements in the latter set as actual probabilities of events (such as the probability 
of termination, in our case). However, we have already seen that it is simply 
not possible to have well-behaved forms of intersection types working with D, 
and that we can overcome that issue by working with the multi-sub-distribution 
monad M. Unfortunately, M(1) 4 [0,1], although we would still like to think 
about the observable behaviour of a program as its probability of convergence. 
This is not a big issue since it does not take much to realise that our analysis 
of observations works mutatis mutandis if we replace T(1) with S(1), where S 
is another monad such that there is a monad morphism v : T > S. This way, 
for instance, even if modelling static and dynamic semantics in terms of M, we 
can regard obs(t) as the probability convergence of convergence of t, due to the 
monad morphism v : M => D collapsing multi-sub-distributions into ordinary 
sub-distributions. 


Termination by Logical Relations. Our goal is now to prove that whenever 
a term t has type M then: (i) t must terminate, and (ii) the observable behaviour 
of t, i.e., obs(t), is fully described by M. That is, obs(t) = obs( M). To achieve 
such a goal, we define a logical relation = between (closed) terms and types 
acting as the semantic interpretation of | in such a way that = |= and Et: M 
implies ¢ |) e (must termination) and obs(e) = obs( M). Remarkably, such a logical 
relation makes crucial use of the Barr extension of T. 


Definition 9. We qe the logical semantics of + (restricted to closed expres- 
sions) as the relation = : a +H +m that inductively refines F (i.e. ECE) 


as follows, where we use the notation Ce: M in place of e T(E1) M. 


Envu:Il >M iff Vw. Fr w : I implies Ey vw: M 
=y v : {Ay,..,An} off Vi. Ha v: A; 
—y t: M iff Fr fd): M 


As usual, we omit subscripts whenever unambiguous. We first show that, indeed, 
= ensures the desired property. 


Lemma 3. =t: M implies Je such that |t] =e and obs(e) = obs( M). 


Then, we prove the soundness of our type system showing that = and F coincide. 


Proposition 8 (Soundness). + = E. 
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Completeness. Having proved soundness of our type system, we now move 
on to completeness, meaning that normalising terms are typable. The proof of 
completeness follows the usual pattern for intersection types, and makes crucial 
use of subject expansion. The proof of subject expansion is divided into two 
parts: first, we prove subject expansion with respect to the single-step reduction 
on terms and then extend such a result to monadic terms and monadic reduction 
relying on Proposition [4] Concerning the first part, we would like to prove subject 
expansion by induction on the structure of evaluation contexts (after having 
proved a straightforward anti-substitution lemma). However, the statement is 
not true in general. 


Example 10. Let us consider the multidistribution monad and the binary opera- 
tion ®1, i.e. the first projection. Let us consider the reduction Ax.£91 2 > 1-Ax.x. 
Even if Hİ 1- Ax.x : 1- M, it is not possible to type Az.x ®ı R with rule OP, 
because of course there is no way of typing 2. 


Then, we need a restriction on our calculus, this time about operations. We allow 
only operations op(ti,...,tn) that do not erase their arguments, i.e. for which 
SUPP(Gop(N(t1),---,7(tn))) = {t1,---,tn}. In terms of equational theories, this is 
guaranteed by considering linear theories. We already anticipate that we will be 
able to remove this restriction in the next section, by the use of infinitary means. 


Proposition 9 (Subject Expansion). Let T be WC. Then: 


1. Ift e andtte: M, thenH t: M. 
2. Iferst e andtt e : M, then H+ e: M. 


Proposition [9] together with the fact that monadic values can always be typed, 
gives the completeness of the type system. 


Theorem 3 (Completeness). If |t] = e, then there exists a monadic type M 
such that t: M. 


Soundness and completeness together provide a characterization of finitary ef- 
fectful termination via typability with intersection types. 


Corollary 1 (Characterization). The following clauses are equivalent: 


1. Effectful termination: obs([t]) = o. 
2. Typability: there exists M, such that- t: M and obs(M) = o. 


5 Infinitary Effectful Semantics 


In this section, we extend the type system of Section [4] to account for infinitary 
behaviours. To do so, we require monads to have enough structure to support such 
behaviours. A standard approach to do that is by requiring suitable order-theoretic 
enrichments. Here, we consider monads whose Kleisli category is enriched in the 
category of directed complete pointed partial order (dcppos) [43]1], but in order 
to maintain the paper as self-contained as possible, we use the following more 
concrete (and restricted) definition. 


42 Francesco Gavazzo, Riccardo Treglia, and Gabriele Vanoni 


M IN 
a:{id}F 2:0 


xv: {id} otid VAR x: {id} F x: n(0) 
a: {id} F æg : n(0) 


UNIT 


b: F- àx.zg : {id} > n(0) 
z:0Fz:0 
- — VAR eee UNI 
yifid} F y:id a z:O0F z:7(0) — 
s : ———_——— Bs 
y : {id} F y : {id} H Azz: id 
UNIT INT 
y : {id} F y: l{id} F- Az.z : {id} 
ABS UNIT 
F Ay.y : {id} > l{id} F- àz.z : 1{id} 
APP BOT 
F (Ay.y)(Az.z) : 1{id} FRL 
OP 
WV: HIH: 5 {id} 
p Ww 


APP 


F (Aw.xx)(I1@ 2): 40 


1 
Fig. 5: Type derivation for H (Ax.xx) (Il $ 2) : 40. id := 0 > n(0) = 0 —> 1-0. 


Definition 10. A monad (T,7, >=) is dcppo-ordered if, for any set A, we have 
a dcppo (T(A), Ea, La) such that the bind operator is strict and continuous in 
both arguments. 


As usual, we omit subscripts whenever unambiguous. Notice that if T is 
dcppo-ordered, then all its algebraic operations are strict and continuous. 


Example 11. Both the multiset and multidistribution monad can be turned into 
dcppo-ordered monads by simply adding a zero-ary operation symbol L to their 
equational theories. Semantically, L corresponds to the empty multiset and 
multidistribution, respectively. 


From now on, we tacitly work with an arbitrary but fixed dcppo-ordered 
monad (T,7, >=). 


Infinitary Typing. Extending the monadic type system to the infinitary case 
is straightforward. We simply add the typing rule 


Pen. 


allowing to type any computation with the total uninformative type L. Conse- 
quently, we can assign several types to each term. 


Example 12. We provide in Fig. [5] the type derivation for the term F (Ax.xx) (ll 
92): 30, again a simple variation on the theme of the previous examples. One 
can notice that we are able to type it, even if clearly the term does not converge. 
Its type 50 says exactly that: the probability of convergence is obs( 40) = 5. 


Nonetheless, we can think about type derivations (with occurrences of the 
BOT rule) as approximations of the semantic content of a computation, the latter 
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being reached only at the limit. Moreover, the set of the observations O(t) of 
a term t, defined as the collection of all the observations obs( M) for F t: M is 
directed. Consequently, we can associate to each t a more informative observation 
obtained through types given as O(t) := |_|O(t). Notice that even if O(t) is a 
valid observation, there may be no (necessarily finite) derivation m > Ft: M 
such that obs( M) = O(t). 


Infinitary Operational Semantics. A standard approach to deal with in- 
finitary effectful semantics consists in defining a monadic evaluation function 
mapping computations to monadic values. To capture forms of convergence in 
the limit, such a function is defined as a suitable least upper bound of maps 
evaluating computations for a fixed number of steps. We implement this strategy 
building upon the definition of KH. 


Definition 11 (Approximate Operational Semantics). Let ¢: C > T(Y) 
mapping values v (as elements in C) to n(v) and all other terms t to L. Then, 
we define the IN-indexed family of maps [—]” : C° + T(V*) by [t]? := L, and 
[t]” :=e>=¢, ifn>0 andtrH”e. 


Lemma 4 ([19]). For any closed computation t, the sequence {[t]"}n>0 forms 
a directed set (an w-chain, actually). 


Consequently, we define (overriding the previous finitary definition) [t] = 
L],,[¢]”. Notice that this also gives a straightforward way to extend the observation 
function obs (on terms) to the infinitary setting. We simply define obs(t) := 
T(!)(ft]), with ! : Y > 1 be as before. Moreover, since T is dcppo-enriched, 
obs is continuous (and thus monotone). In particular, we can define a bounded 
observation function as obs”(t) := T(!)([t]”) and see that obs(t) = |], obs” (t). 
We now have all the ingredients needed to extend our characterization to the 
infinitary setting. 


6 Characterizing Infinitary Behaviors 


In this section, we extend the soundness and completeness results previously seen 
to the infinitary setting. Remarkably, most of the proofs given in the finitary case, 
such as those of subject reduction and expansion, scale to the infinitary case. 
This is no coincidence but a main strength of the abstract relational approach 
that we have developed in the previous part of this work. 


Soundness. As in the finitary case, we have subject reduction for WP monads. 


Proposition 10 (Subject Reduction, Infinitary). Let T be WP. Then: 


1. Lett be a closed X-term. If- t: M and tre, then Ht e: M. 
2. Let e be a monadic closed A-term. If tie: M andet e', then +t e' : M. 
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Notice that Proposition [10] is given relying on the Barr extension of T which, 
by its very definition, does not take into account the order CE induced by T. 
In particular, whenever we have Ht e : M, then e and M must have the same 
effectful behaviour. This means that as long as we stick with T (F), it is simply not 
possible to extend subject reduction (and thus soundness) to the full evaluation 
[—], the latter being infinitary. Consequently, contrary to the finitary case, there 
is no hope to prove that whenever H t: M, then M encodes the whole observable 
behaviour of t, i.e. obs([t]). What we can show, however, is that M provides an 
approximation of such a behaviour, and that the limit of such approximations is 
precisely the operational behaviour of t. The right tool to achieve such a goal, is 
an ordered version of the Barr extension [41]. 


Definition 12 (Right Barr Extension). Given R C Ax B, we define its right 
Barr extension Ta(R) C T(A) x T(B) as Ta(R) := T(R); 3. 


Proposition 11 ({41]). [fT is WP, then Ta is a lax relational extension. 
Using the right Barr extension, we define the logical relation interpreting F. 


Definition 13 (Infinitary Logical Relation). We define the logical semantics 
of- (restricted to closed expressions) as the relation = := =} + Hı + Em that 


inductively refines (i.e. EC) as follows, where we use the notation Fe: M 
in place of e Ta() M. 


=a v: I > M iff Vw. H w : I implies —=y vw: M 
F=] U: {A1, wy An} iff Vi. Ha vU: A; 
=y t: M iff = ftl: M 


As usual, we omit subscripts whenever unambiguous. 


Lemma 5. =t: M implies obs([t]) 3 obs( M). 


As in the finitary case, we prove the soundness of our type system showing that 
= and F coincide. 


Proposition 12 (Soundness). If T is WP, then F = |. 


Completeness. As in the finitary case, completeness is proved via subject 
expansion. This latter result, in turn, is obtained exactly as in the finitary case. 
The only difference is that we are able to drop the constraint about non-erasing 
operations. Indeed, this time we can type erased (and thus possibly diverging) 
arguments with the rule BOT. 


Proposition 13 (Subject Expansion, Infinitary). Let T be WC. Then: 


1. Ift e andHt e: M, then t: M. 
2. Iferst e andtt e : M, then Hte: M. 
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ee ING 
v:f{id}Fx:0 


xv: {id} w:id a xv: {id} F x: (0) 
a: {id} + xa : n(0) 
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Fig. 6: Type derivation for H v ((Az.v (xx))(v (11) @ 1)) : $-(3, 0), 5-(2,0). We set 
id :=0-— 7(0) = 0 > 1.(0,0). 


P 


1 
2 


Then, we are able to prove approximate completeness, by finitary means. 


Theorem 4 (Approximate Completeness). Let t be a closed A-term. Then, 
for each k > 0, there exist nk > F t: Mp such that obs( Mp) = obs" (t). 


Finally, we can claim the full characterization of the infinitary effectful behavior 
of any program by the way of our intersection type system. 


Corollary 2 (Characterization). Lett be a closed A-term. Then O(t) = obs(t). 


Example 13. As a concluding example, in Fig. [6] we show the type derivation 
for the term + v ((Az.v (xx))(v (II) @ 1)) : $-(3, 0), $-(2,0). Please notice that 
this example is built on the composition of two different monads: cost and 
multidistribution. This way, we show how we are able to handle computational 
effects in a modular way. It is easy to verify that the same would have been 
possible, e.g., for cost and multipowerset. obs($-(3, 0), 5°(2, 0)) = 4.3, 52, which 
is a distribution on costs. Taking its expected value, one can indeed obtain the 
average cost of the computation. One can build an example that actually uses 
infinitely many types (and derivations) on the same line of the one presented 


in {78}. 


7 Conclusion 


In this paper, we have proposed the first intersection type system able to charac- 
terize the effectful behavior for terms of the A-calculus enriched with algebraic 
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operations. In particular, we are able to do that parametrically with respect to 
the underlying monad. Moreover, having presented effects as algebraic theories, 
it is possible to compose effects relying both on the sum and tensor of algebraic 
theories. Since effectful behaviors are often observed at the limit, we had to deal 
with infinitary constructions. Technically speaking, relational reasoning was the 
main tool exploited to obtain our result in an abstract and modular way. 


Perspectives. This work opens several research directions: 


e Quantitative Cost Analyses: Idempotent intersection types are qualitative 
in nature because they are not able to track the use of resources, such as 
time or space, during the evaluation. Turning intersections (i.e. sets) into 
multisets is enough to measure the precise cost of the evaluation of typed 
terms, while maintaining the correctness of the type system [24]4]3]. Extending 
this machinery to the effectful setting would be very interesting, although not 
trivial. While there are standard notions of monadic costs (e.g. the average cost 
in the probabilistic setting, or the maximum cost in must nondeterminism), it 
is not clear how to devise the type system to capture them. In the probabilistic 
case, for example, some additional information had to be stored inside types 
to correctly compute the average number of steps [18]. Very recently some 
investigations on the state and the exception monad (featuring also handling) 
have appeared [5/44], but the design of the type systems seems ad-hoc and not 
easy to generalize. 

e Higher-Order Model Checking: Model checking of higher-order recursion schemes 
has been proven decidable by Ong in 2006 [52]. Since then, several papers 
dissected the original result and gave other proof methods and model checking 
algorithms. Among them, Kobayashi and coauthors developed type-theoretic 
techniques based on intersection types [48]46]. While the literature contains 
results about model checking higher-order programs enriched with specific 
effects, such as probability or nondeterminism |65|, no general method 
covering families of computational effects is known. Indeed, we would like to 
investigate if our type system could guide the synthesis of model checking 
algorithms in the style of [65]. Since the problem has been proved in general 
undecidable in the effectful setting, e.g. in the case of the sub-distribution 
monad [47], one would need of course to restrict. the class of monads in order 
to recover decidability. 

e Adding Coinduction: Our type system is not able to deal with coinductive 
properties, such as productivity, or with coinductive effects, like the output of 
streams. We would like to enhance the type system with coinductive types/rules 
in order to capture these kind of properties. Since the type system is somehow 
modelled on top of operational semantics, this would require to change it as well. 
We mention that very recently some works covering coinduction have appeared, 
but limited to the pure A-calculus, and carried on in the non-idempotent 


setting f 
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Abstract. We introduce layering to modal type theory to combine type 
theory with intensional analysis. In particular, we demonstrate this idea 
by developing a 2-layered modal type theory. At the core of this type 
theory (layer 0) is a simply typed A-calculus with no modality. Layer 1 is 
obtained by extending the core language with one layer of contextual 
types to support pattern matching on potentially open code from layer 0 
while retaining normalization. Although both layers fundamentally share 
the same language and the same typing judgment, we only allow com- 
putation at layer 1. As a consequence, layer 0 accurately captures the 
syntactic representation of code in contrast to the computational behav- 
iors at layer 1. The system is justified by normalization by evaluation 
(NbE) using a presheaf model. The normalization algorithm extracted 
from the model is sound and complete and is implemented in Agda. 
Layered modal type theory provides a uniform foundation for meta- 
programming with intensional analysis. We see this work as an important 
step towards a foundational way to support meta-programming in proof 
assistants. 


Keywords: modal type theory - contextual types - meta-programming - nor- 
malization by evaluation- presheaf model 


1 Introduction 


For the past decades, the problem of combining type theory and meta-program- 
ming has been in need for a solution (c.f. [57{15/18)36]47|50]7]). Given the solid 
and elegant foundations for describing proofs as programs provided by type 
theories, also supporting meta-programming allows us to think of proof genera- 
tion as code generation. This opens up the possibility to support proof macros, 
domain-specific proof generators, proof transformations, and reasoning about 
meta-programs within the same language. 

While support for meta-programming in existing proof assistants is common 
(e.g. [[8JT5]6T]57]), this is typically achieved via some unverified mechanisms 
like reflection, requiring significant engineering effort. Moreover, the interplay 
between these mechanisms and the core type theory is not well-understood, 
often breaks critical type-theoretic properties like confluence, and lacks theoret- 
ical guarantees like normalization. As a consequence, it is often not clear how we 
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Fig. 1: Layered style as a middle ground 


can reason about meta-programs themselves. Even guaranteeing that the gen- 
erated code is well-typed and well-scoped is non-trivial. Hence this leads to a 
gap between implementations of meta-programming in proof assistants and their 
theoretical foundations. 

Theoretical foundations that combine meta-programming with type-theory 
typically fall into two categories: the homogeneous style and the heterogeneous 
style. Homogeneous meta-programming uses a single language capable of meta- 
programming itself (depicted in Fig. [la. To provide a logical, type-safe founda- 
tion in this style, Davies and Pfenning [17] give a modal )-calculus with the 
modality. They use the modal type HT to represent the code of type T. Having 
modal types allows us to differentiate on the type level meta-programs that ma- 
nipulate code from regular programs in one unified language. Nanevski et al. 
subsequently extend the modal A-calculus with contextual types, allowing 
meta-programming on open code. Nevertheless, the correspondence described by 
both systems only supports basic primitives like execution and composition of 
code, but does not suggest a way to support any form of intensional analysis. 
In fact, supporting intensional analysis in the homogeneous style while retaining 
properties like confluence and normalization has been fraught with difficulties 
(c.f. [48]). Most recently, Kavvos notes that we can only soundly extend the 
modal -calculus with intensional analysis for closed code if we want to retain 
confluence. A significant step towards supporting pattern matching on open code 
in a homogeneous style is taken in Moebius [30]. Moebius is based on System F- 
style polymorphism. However, its pattern matching does not guarantee coverage. 
Therefore Moebius does not provide normalization. 

In a heterogeneous system, we distinguish between the meta-language and 
the object language (illustrated by Fig. [ich. Recently, Kovacs adapts 2-level 
type theory (2LTT), originally conceived for homotopy type theory, to depen- 
dently typed meta-programming. Here, a dependently typed meta-language sits 
on top of a less expressive object language. However, this type theory does not 
support intensional analysis. In contrast, Cocon [47], another 2-level type theory 
following in the footsteps of previous work [1739], supports modeling open code 
and intensional code analysis. Though these heterogeneous systems are modular, 
this comes at a price: a definition in one level is not directly accessible or reused 
in the other level. Unlike homogeneous systems, both heterogeneous systems do 
not support execution of code. Moreover, the separation into two languages leads 
to two separate investigations of meta-theoretic properties for two languages and 
ultimately two separate normalization arguments. How to elegantly scale these 
languages to multiple layers is not obvious, or at least very tedious. 
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In this paper, we propose a novel layered style as a schema to combine meta- 
programming and type theory (see Fig. and to combine the advantages of 
homogeneous and heterogeneous styles. Specifically, our layered modal type the- 
ory achieves three features: D a run primitive, which extracts a term of type 
A given code of type A for all A; Q) a normalizing type theory; ©) pattern 
matching on code, which is the most general form of intensional analysis. As a 
demonstration, we develop a layered modal simple type theory achieving these 
features. In this type theory, there are a fixed number of layers of languages. 
The type theory is uniform in the sense that all layers fundamentally share a 
common syntax for their languages and the same typing judgment as in the ho- 
mogeneous style. Therefore, our layered system has a natural run primitive as all 
homogeneous systems. Furthermore, our layered system follows the matryoshka 
principle: the language at layer i is contained in its meta-language at layer i + 1. 
What is added to layer į at layer i + 1 is the ability to inspect and analyze code 
from the language at layer 7. This matryoshka structure of layers of languages 
not only ensures uniformity in the syntax and the typing judgment of the type 
theory, but also provides extra flexibility in distinguishing computational behav- 
iors at different layers. As a principle, we only allow (6 and 7 equivalence at the 
highest layer, so all lower layers are treated as static code which is only identified 
by its syntax. Layering allows us to encode different computational behaviors at 
different layers using the same set of equivalence rules. This is crucial to enable 
sound intensional analysis and establish normalization. 

To introduce layering succinctly, we focus on a 2-layered modal simple type 
theory in this paper. In this 2-layered system, its core language at layer 0 is a 
simply typed A-calculus (STLC). At layer 1, STLC is then extended with one 
layer of meta-programming with the O modality. The meta-language at layer 
1 can only manipulate and analyze code from layer 0, but not from its own 
layer. Following our previous discussion, we only allow computation on layer 
1, and terms at layer 0 are treated as pure syntax. This allows us to cleanly 
define covering pattern matching on code and eventually leads to an elegant 
normalization proof using a presheaf model. 


Summary of Contributions: 


1. We develop a 2-layered modal type theory (Sec. |3) which supports running 
code (feature @)). To prove normalization, we extend the classic presheaf 
model for STLC [5] to our type theory (Sec. [4}. From this presheaf model, 
we extract its normalization algorithm that is complete and sound. 

2. We extend the previous 2-layered modal type theory with pattern matching 
on code (Sec. Bh. We adapt our previous presheaf model to support pattern 
matching on code and prove that the extracted algorithm is both complete 
and sound. Thus we achieve features @) and @). 

3. We outline three different dimensions to extend layered modal type theory 
in Sec. [6] In particular, we discuss extensions to richer systems like System 
F and Martin-Löf type theory. We also discuss how to extend the expressive 
power of the computational layer with additional operations, and how to 
scale our 2-layered system to n layers. 
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We believe that layering is versatile enough to be adapted to complex systems 
like System F and Martin-Léf type theory. As such, it provides a systematic way 
of supporting intensional analysis while retaining normalization. It is a signifi- 
cant step towards closing the gap between implementations that support meta- 
programming in practice and their theoretical foundations. Interested readers 
could find more details in our technical report and our Agda code [28]. 


2 Example Programs in 2-layered Modal Type Theory 


In this section, we show how to write and improve the well-known power function 
in layered modal type theory by gradually introducing more features. In general, 
many common meta-programs including the power function use only two layers. 


2.1 A Layered Power Function 


The power function defined by [I7] Sec. 3.4] is a classic meta-program and we 
can define it in our 2-layered type theory with the help of contextual types: 


power : Nat > (x : Nat F Nat) 
power zero = box (x. 1) 
power (succ n) = letbox u + power n in box (x. u[x/x] * x) 


In the examples in this section, we use a front-end syntax similar to Haskell 
and Agda. For clarity, we abbreviate succ ... (succ zero) as numbers, e.g. 1 is 
notation for succ zero. The return type of this meta-function is a contextual type 
(x : Nat H Nat). This type denotes code of type Nat with an open variable x 
of type Nat. In general, the number of open variables is arbitrary. In the body, 
we recurse on the input number. If it is zero, then the generated code is just 1. 
The open variable x is not used. In the succ case, we first perform the recursive 
call power n. The eliminator letbox binds a new global variable u to an open 
type (x : Nat H Nat). We say that u has type Nat with an open variable x of 
type Nat. A global variable is a placeholder for code. It remains visible under 
a box constructor. Regular variables like n, on the other hand, cannot directly 
participate in code construction, so they are hidden inside box. When we refer 
to u in box, we must instantiate the open variable x of u. In this case, an identity 
substitution [x/x] suffices. Now u[x/x] stands for the n’th power of x and we 
obtain our goal by multiplying it with an extra x. Our implementation of the 
power function is almost as expected except for the dangling 1: 


power 1 = box (x. 1 * x) power 2 = box (x. (1 * x) * x) 


We would like to remove the 1’s because it is the unit element of multiplication. 
We will make this improvement in the next subsection. Nevertheless, we can 
already run the current code, which is critical for a meta-programming system: 


letbox u + power 2 in A x. u[x/x] : Nat — Nat 


generates a regular function computing squares. We can also directly run the 
code with a specific argument: 
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letbox u + power 2 in u[5/x] = 25 


would substitute 5 for x and give 25, the square of 5. 


2.2 Pattern Matching for Intensional Analysis 


An easy way to improve the previous implementation is to pattern match on 
the resulting code and remove all occurrences of 1. However, supporting pattern 
matching on code in a type-theoretic setting has been notoriously difficult. Previ- 
ous attempts in the homogeneous style fail to retain the normalization property. 
To illustrate, consider the intensional isapp function . This function sim- 
ply looks at the structure of a code and returns true if this code is a function 
application, or false otherwise. Note that isapp’s behavior purely depends on 
the syntactic structure of its argument. In our 2-layered system, this function 
can be implemented by a pattern matching on code: 


isapp : ( F Nat) — Bool 
isapp x = match x with | ?u ?u’ > true | _ > false 


We use pattern matching to inspect the input code x. In our first branch, we 
return true if x is some function application. Here, ?u and ?u’ are both pattern 
variables. We use question marks to distinguish pattern variables and constants, 
e.g. zero and succ which are the constructors of Nat. This distinction is only 
necessary in the patterns, and we do not write a question mark when we refer 
to a pattern variable in the body of the branch. We also omit writing the local 
context in which the pattern is sensible because it is determined by the type 
of x. The pattern variables u and u’ capture the code of the function and the 
argument respectively if x is a function application. As they are not used, we 
could also have written - - instead. The other branches are captured by the 
wildcard and all return false. Let us see how this function behaves: 


isapp (box ((A x. x) 10)) = true 
isapp (box 10) = false 


Kavvos points out that Gabbay and Nanevski’s evaluation of isapp 
is not confluent. It is possible to evaluate the same program in different orders 
and obtain two different values. For some well-typed code t and s, 


letbox u + box (t s) in isapp (box u) 


= isapp (box (t s)) = true 
letbox u + box (t s) in isapp (box u) 
= letbox u + box (t s) in false = false 


In the second execution, isapp (box u) is evaluated first, and then the overall 
result is false. In our system, this confluence issue is avoided by preventing the 
execution of isapp (box u) until it is known what u stands for. This treatment 
ensures that isapp is stable under substitutions. Hence, the program only evalu- 
ates to true. This is a subtle but critical design decision which ultimately enables 
sound intensional analysis and normalization. We explain more in Sec. 

With sound pattern matching on code, a simple arithmetic simplifier is im- 
plemented to remove the redundant 1’s in the previous subsection: 
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simp : (x : Nat F Nat) > (x : Nat F Nat) 
simp y = match y with 
| 1 * ?u = box (x. ulx/x]) 
| ?u * ?u’? => letbox ul = simp (box (x. u[x/x])) 
in box (x. ul[x/x] * u’[x/x]) 
= =>y 


In the first case, we remove 1 from the multiplication. In the second case, we 
recursively simplify the first factor. We know this is sufficient because 1 only 
occurs in the leftmost factor. In the last case, we do not optimize. Since pattern 
matching is covering, we must either specify all cases or give a wildcard case. 
At last, we provide a wrapper function power’, where we invoke simp to simplify 
the code generated by power: 


power’ : Nat > (x : Nat F Nat) 
power’ n = simp (power n) 


The power’ function precisely does what we expect: 
power’ 1 = box (x. x) power’ 2 = box (x. x * x) 


This example shows that we have full control over code via pattern matching on 
code, while running power’ still gives the same behaviors as power. 


3 A 2-Layered Modal Type Theory 


In this section, we introduce a 2-layered modal type theory, which is simple 
yet powerful enough for many interesting programs like the unoptimized power 
function in the previous example. This system provides a starting point and a 
basis for a clear understanding of the impact of layering on syntax and semantics. 
We build a semantic framework for 2-layered modal type theory which is further 
extended with pattern matching on code in Sec. 

2-layered modal type theory is defined as follows: 


S,T := Nat | O(T HT) |S — T (Types, Typ) 
x,y (Local variables) 
u (Global variables) 
s,t := x |u? |zero | succ t | recy s (x y.s’) t (Terms, Exp) 
| box t | Letbox u + s in t| Azt] st 
ô := - |8, t/z (Local substitutions) 
BAe |F aT (Local contexts) 
p, := -|G,u: (FET) (Global contexts) 


We assume de Bruijn indices as our name representation for convenience but our 
development generalizes. We use natural numbers Nat as a base type. We can 
construct zero and succ of another Nat. rec s (x y.s’) t is the recursor for Nat, 
where ¢ is the scrutinee, s is the base case and s’ is the step case, where x is 
the predecessor and y is the result from the recursive call. As the recursor for 
natural numbers is standard, we leave its discussion in the technical report [27]. 
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A function is introduced by \-abstraction and can be applied to an argument. 
(I H T) is a contextual type. It stands for code open in context I’. The box 
constructor introduces terms of type O(I H T) and letbox is the eliminator for 
it. We defer our discussion on pattern matching on code to Sec. 

For layered systems, we keep track of as many contexts as the layers. These 
contexts are contained in a fixed-sized context array in the judgments. With two 
layers, a context array only has two contexts ®; I’. It hence defines a dual-context 
type theory. Following Pfenning and Davies [4217], I’ is referred to as a local 
context and its variables are local variables, ranged over by x and y. ® is a global 
context and contains global variables, ranged over by u. For a global binding 
u : (I H T), we say that u represents code of type T with an open context I. 

When writing meta-programs, we conceptually distinguish between programs 
that are dynamic and compute, and code that is static and syntactic. In a ho- 
mogeneous system, this distinction is captured by types, i.e. program t has type 
T while code has type O(I + T). However, a term t itself does not provide infor- 
mation about whether it is inside of a box (hence treated as code), or outside of 
a box (hence a program). For example, only knowing that succ zero has type Nat 
does not reveal whether it is a piece of code or a program. The typing judgment 
for homogeneous systems like Y; + t: T [42]17]| only provides typing informa- 
tion, and does not a priori determine whether t should be considered as code or 
as a program. Even though one major advantage of a homogeneous system is 
to use the same language for code and programs, this lack of information is the 
critical reason for the challenges that we face when combining type theory and 
intensional analysis. 

Layered modal type theory makes the distinction between code and programs 
explicit. In the typing judgment Y; I+; t : T, we use the subscript 7 € [0,1] to 
identify the layer at which t is well-typed. This judgment states that the term t 
has type T at layer i. When i = 0, t is code and does not compute, and when 
i = 1, t is a program and therefore has rich reduction behaviors. There are three 
important implications of layering: 


1. we can control what types are valid at each layer, 
2. we can control what terms are well-typed at each layer, and 
3. we can control what terms are equivalent at each layer. 


In the first part, we control the validity of types using the validity predicate. 
In the rules below, we rule out the use of O at layer 0 and limit layer 1 to at 
most one layer of L: 


S wt? T wf’ T wf? T wf? 
Nat wf’ S — T uft (T HT) wf! 


This validity predicate only limits the depth of nested Os. Therefore, (O(- H 
Nat) => O(- + Nat)) wf! holds although it has two Os. O(- + O(- + Nat)) wf! 
does not hold, because it has two nested layers of O. Moreover, the validity 
judgment only provides an upper bound, so both Nat wf° and Nat wf! hold. 
This predicate generalizes to W wf’ and I’ wf’ by requiring all types in W and I’ 
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Ww; t:T)and|W;0%F;,6: A} Term t and local substitution 6 are well-typed, 
respectively, in context W and I at layer i where i € [0,1] 

Wwt? T we’ Wil: 6:A WK t:T WT 6:A u:(AFT)EW 
WD ries: W;0 Hið, t/z: Ax: T V:H u: T 


Wwt? Duft «:Ter Y uf? I wf? W: IT F; t: Nat 
VC a: T W; IF, zero : Nat W: I Hi succ t : Nat 
W;DT,a:Sti.t:T Yrkt: —T Wks: S 
WD Fi Awt: S > T WiDr ts: T 


W;Cb:txt’:T| Term tand t are equivalent in contexts W and I at layer i 


Y: x: Sat: T W;Phis:S :-Fos:T P,u:T; rh t:T 
W; T Fy (Ax.t) s ~ t[s/z]: T W; T Fy letbox u + box s in t X t[s/u] : T” 
WPF t:S3T 
WC Fita agit zx): S — T 


Fig. 2: Typing and equivalence judgments 


to comply with the predicate. The validity predicates satisfy the lifting property: 


Lemma 1 (Type lifting). If T wf?, then T wf!; if r wf, then IF uf". 


The lifting property characterizes the matryoshka principle for types and the 
diagram in Fig ol and says that types and contexts at a lower layer are included 
at a higher layer. 

The fact that the validity predicate only allows O at layer 1, suggests that its 
constructor box and eliminator letbox should also only appear at layer 1, while 
terms of types Nat and functions should appear at both layers. Having a layer 
in the typing judgment allows us to cleanly restrict valid terms at each layer: 


Fut! W:Atot:T W;Pb,s:O(AFT) Yu: (AFT) Dhit: T 
UW; Hı boxt:O(AFT) Y; I Hı letbox u © s in t: T 


box t is well-typed at layer 1, only if the code ¢ is well-typed at layer 0. Now 
a clear line is drawn between code and programs: code lives at layer 0 while 
programs live at layer 1. The rule for letbox is only available at layer 1. The 
body is type-checked in an extended global context with a new global variable. 
This global variable is a placeholder for the code computed by s. 

The rules are given in Fig. [2] The rules for terms coming from STLC, i.e. zero, 
succ, À and function applications, are standard and valid at both layers. Given 
a term of type Nat or a function, we know whether it is code or a program by 
checking the layer it lives at. Extra validity predicates are added to the premises 
of the local variable rule and the zero rule to enforce the coherence between terms 
and types at layer i. Notice that terms from STLC can extend the local context 
via À regardless of layers and they can only refer to but not introduce global 
variables. When referring to a global variable u, a local substitution ô is needed 
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to replace all variables in the local context A, as specified by the superscript. 
The coherence between terms and types requires terms at layer i to have types 
at the same layer. This criterion is formulated by the following lemma: 


Lemma 2 (Syntactic validity). If Y; I F; t:T, then Y wf, I wf' andT uf" 
for i € [0,1]. 


W is always valid at layer 0 because it is a context for code from layer 0. 

The layer i in the typing judgment Y; I F; t : T effectively leads to the 
encapsulation of two languages in the same system. When i = 0, only terms in 
STLC are well-typed, so we work in STLC, and hence W wf? and I’ wf? hold. 
The typing rules ensure that we cannot write any meta-program at this layer 
and no O is involved. When i = 1, one layer of O is allowed in addition to 
STLC. At this layer, we can not only write regular STLC programs, but also 
write meta-programs that generate STLC programs through O. Thus, we work 
with a meta-language and an extension of STLC. In this case, Y wf° and I wf! 
hold. Using layers, we fit both code (layer 0) and programs (layer 1) in a unified 
set of typing rules and arrive at a middle ground between homogeneous and 
heterogeneous styles. Code at layer 0 can be lifted to layer 1 and turned into a 
program. The resulting program is well-typed, due to the following lemma: 


Lemma 3 (Term lifting). If Y; Ir Fot:T, thenW;D},t:T. 


The lifting property of well-typed terms has two indications. D A language at 
layer 0 is contained at layer 1. This is the critical intuition of the matryoshka 
principle and the idea of layering. @) Though a term at layer 0 is code and 
static, its computational behaviors are recovered by lifting it to layer 1. The 
second point is what guarantees a universal run primitive for all code that is 
crucial for a meta-programming system and achieves the feature D in Sec. 
The term lifting behavior can be trigger by the 8 rule for O. For some well-typed 
terms t and s at layer 0 and a local substitution 6 that does not refer to u: 


letbox u < box (Ax.t) s in u? & ((Ax.t) s)[6] ~ t[s/a] [5] 


Due to the 8 rule, u is replaced by (Ax.t) s. The layer-0 term (Az.t) s is then 
lifted to layer 1 on the right hand side and computes. Thus its computational 
behavior is revived and it is further reduced to t[s/z]. 

At last, due to layering in the typing rules, the equivalence rules are also lay- 
ered. There are three groups of equivalence rules: the PER rules which include 
symmetry and transitivity, congruence rules which are naturally derived from 
the typing rules, and the computation rules which describe 8 and 7 equivalence. 
The PER and congruence rules apply to all layers, but the computation rules 
only apply to layer 1. We show all the 8 and 7 rules at the bottom of Fig. 
The PER and congruence rules are standard. [s/2] and [s/u] are local and global 
substitutions, respectively. They substitute s for x and for u everywhere as ex- 
pected. The lack of computation at layer 0 ensures that terms at layer 0 are 
identified only by their syntactic structures and indeed behave as code: 


Lemma 4 (Static code). If Y; I botxs:T, thent=s. 
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y:V=>,f T wf? T wf? 


E =S q(y) :Y,u: (T FT) =, Gu: (THT) 

y:W =P T wf? T wf? T: == A T wt! 
p(y): Y,u: (Ir FT) =, Ei =: g(r): T,x:T =, A4, x: T 
T: = T wt! y:Ù =; P T: =; A 

pir): T,a:T= A yT: Y; IT => 8; A 


Fig. 3: Global and local weakenings 


This lemma justifies our treatment of terms at layer 0 as code and prepares for 
the addition of pattern matching on code in Sec. 

Finally, we specify global substitutions between global contexts. Global sub- 
stitutions are defined in the usual way as lists of terms: 


a:=-|o,t/u (Global substitutions) 
Due to layering, all terms in a global substitution must live at layer 0: 


W wf’ WhKo:6 W:Fbot:T 
WF.: WE o,t/u: @,u: (TET) 


Given a global substitution c, we can apply it to a term: 


uf [o = a(u)[d[o]] (lookup u in o) 
zerol|a] := zero 
succ tio] := ve (t[o]) 
Ax.tlo] := Ax.(t[o]) 
tle] = (ele) lo) 
box tla] := box (t[ø]) 
letbox u + s in t|o] := letbox u + s|o] in (t[o, u/u]) 


where 6[o] applies o to all terms in 6. Global substitutions do not handle local 
variables, so in the case of local variables we just return x, while in the case of 
global variables we look up o and apply the globally substituted local substitu- 
tion d[a] to the result of the lookup. o propagate in most cases recursively. In 
the case of letbox, we extend the substitution and apply o,u/u to the body t. 
Global substitutions compose and have identity. We write Y F idy : Y, and often 
omit the subscript whenever it can be inferred. 


4 Presheaf Model and Normalization by Evaluation 


We now establish normalization by evaluation (NbE) [BB7M] of the 2-layered 
modal type theory. NbE is a technique to establish the normalization property. 
An NbE proof usually proceeds in two steps: first, we evaluate terms of a type 
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[] : Typ > W? = Set [Sle = {7 | 1: ¥ =; $} 
[Nat] := Nf ISl} := {o | YE o: 8P} 
[O E T) := NETED Eler := {+} 
[S =} T] = [S]—>[T] IA, x : T] wer = [A] wer X [T] Yr 


Fig. 4: Interpretations of types, and global and local contexts 


theory into some chosen domain; second, normal forms are extracted from values 
in this domain. Our chosen domain is a presheaf category. A presheaf category is 
a functor category from some base category to the category of sets. A carefully 
chosen base category leads to an intuitive normalization proof. In this section, 
we use the category of weakenings as the base category. The presheaf model 
shown here is a moderate extension of the classic presheaf model of STLC [5]. 


4.1 Category of Weakenings 


In the category of weakenings, the objects are the dual contexts and morphisms 
are weakenings between dual contexts. Weakenings between dual contexts are 
just tuples of global and local weakenings. They individually are defined in the 
same way as weakenings in STLC as below: 


y:=€ | q(7) | p(y) (Global weakenings) T:=e | q(T) | p(T) (Local weakenings) 


Their typing rules are virtually identical with the only difference in the validity 
predicates (Fig. [3). The q constructor extends a weakening with the same type, 
while p actually weakens the context. W =>, P denotes global weakenings and 
I’ = >, A denotes local weakenings. Then weakenings of dual contexts y;7T : 
w: I’ => ®; A are tuples of global and local weakenings. Both global and local 
weakenings have composition and identity. We write idy and idr for the identity 
global and local weakenings, respectively. We often omit the subscript when 
it can be inferred from the context. Identity and composition of weakenings 
W; I’ => @; A are defined pairwise. We verify that dual contexts and weakenings 
form a category, which is referred to as W. This is the base category that we 
will be working with. We sometimes also need to work with GW, the category 
of global contexts and global weakenings. 


4.2 Presheaf Model and Interpretations 


In this section, we define the normalization algorithm with W as our base cat- 
egory. The algorithm normalizes terms to their @7-normal forms, which are de- 
fined as follows: 


w:= v|zero|succ w | box t | Ax.w (Normal form (Nf)) 
vi= x | u? |v w |recr w (a y.w’) v | letbox u -v in w (Neutral form (Ne)) 
0:=: | 0, w/z (Normal local substitutions) 
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Notice that box t is already normal for any t. This is expected because box t 
regards t as static code so t cannot be reduced. These definitions induce the sets 
of well-typed normal and neutral forms: 


Nfr = {w| Y; rki w:T} Ner = {v| Y; rhv: T} 


The sets only capture terms at layer 1 due to the lack of reductions at layer 0. 
Nf? and Ne? then are induced presheaves mapping dual contexts to the sets of 
normal and neutral forms, respectively. 

Next we give the interpretation of types. The interpretation of function types 
is presheaf exponentials derived from the Yoneda lemma with naturality: 


F—3G : WP => Set 
(FG) wr := V 7:8 A => Y; Ir .Foa7> Goa 


We define the interpretations of types, and global and local contexts in Fig. 
Both Nat and O(I + T) are interpreted as their presheaves of normal forms. 
In particular, [O(I + T)] is not even recursive. This case effectively interprets 
(T H- T) as the code of T open in I’. Based on the definition, two possible kinds 
of terms in NUP) are either neutral or of the form box t. In the latter case, 
we have gained access to the syntax of t, permitting more complex operations 
like pattern matching on code. 

The interpretation of global contexts is layered. At layer 1, it is the presheaf 
of global substitutions, containing code at layer 0 awaiting to be evaluated. At 
layer 0, it is the Hom set of GW, i.e. the presheaf of global weakenings. This 
definition is motivated technically to ensure the naturality of evaluation of terms 
to be defined shortly. We let o to range over [®]}, when i is unknown. Local 
contexts are interpreted as iterated products of values as usual, where * is the 
unique element of a chosen singleton set. A dual context is interpreted pairwise: 


[2; A]'v.r := [P] x [A] wr 


All interpretations above are functors: 
Lemma 5. [T], [E], [A] and |8; A]! are presheaves. [®]' is from GW. 


Ifa € [T] o,a and y;7: Y; => @; A, we write a[y;7] for the functorial action 
of y; T on a. We generalize this notation to other functors. 

Finally, we define the evaluation functions, interpreting terms as natural 
transformations between presheaves. This interpretation relies on two other nat- 
ural transformations, reification and reflection, which map Ne’ to [T] and [T] 
to Nf”, respectively. All four natural transformations are defined in Fig. |5| Since 
Nat and O(I F- T) are interpreted as presheaves of normal forms, their cases in 
reification and reflection are just identities. The case for functions is defined in 
the same way as in STLC. 

Our evaluation is a moderate extension of the evaluation of STLC [5]. The 
evaluation function is layered because the type theory itself is layered. The cases 
overlapping with STLC are identical, so we only discuss the modal cases. The 
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Veer: [T] er > Nfy:r (Reification) 
‘er (a) =a 
{ wr (a) =a 
Vor? (a) = Ax. Lo,re:s (a (id pid) , Me .r,0:s (2))) 
(where id; p(id) : Y; T, 2:5 => Y; T) 
Voir: Ney.p => [T] v:r (Reflection) 
Vier (v) := v 
E 
Yr (v) := 


(7T : B; A = V; T) (a € [S] o4) >Ts;a WINT] LS, (a) 
[-I’v.r :@ Abit: T > [9; A]’y.p > [T] v; (Evaluation) 
[zero] ‘vy, (0; p) := zero 
[suce t]'y.r (03) := suce ([]'v.r(0sp)) 
[wu vrh; p) =t (uf?) 
(where u : (A' H T) € 8, 8; A Ho 6: A’, and 8 :=4&,;r ([6]%:r(7%; p))) 


[u° ‘vir (73 p) := [o(u) “vsr (id; [5] v.r(o; p)) 

lelirrlo: p) := pla) (lookup « in p) 

[Ax : S.t]'v.r(o3 p) = l 

(37:85 A = Y; T) (a € [S] ova) > Eora l (0', @)) 
(where (0°; p’) := 0; pfl; T] € [8; AJ's a) 


a 


l slvr: p) = [¢]'v.r(o; p)(id wr, [slvr (0; p)) 
eero == box. GA) 
[Letbox u + s in t]’y.r (3p) := [t] w;r(0, s/u; p) (if [s] v;r (0; p) = box s’) 
[letbox u + s in ¢]'y.r(o;p) := 


Yor (Letbox u-v in VO usr (lr, u:s;r (0, u /u; p’))) 
(if [s]’v,r (0; p) = v, also (0'; p’) := (0; p)[p(id); id] € [8; A] v u:s;r) 
lH'r:r : 8; A F; ô: A' > [9; Aj'v.r > [^] ur 
(Substitution Evaluation) 
Le. QO EEEE a ; 
lô, t/2]‘v.r(o3 p) := (l'er (7; p), [evr (7; P)) 


Fig. 5: Definitions of reification, reflection and evaluation 


box t case is only available at layer 1. In this case, we directly propagate o under 
box. In the letbox case, we first evaluate s. Given [s]‘y.- € [O( + S)]'p.p = 


Nie 4 this evaluation has two possible results: it returns either a box s’, or 
a neutral v. In the first case, we just recurse with ø extended with s’ for u. In 
the second case of letbox, some neutral v blocks the evaluation, so we can only 
recurse on the body t with u as is and with o and p properly weakened. To obtain 
a [T] v.r, we reify the evaluation of t and obtain a normal form, using which we 
obtain a neutral of letbox. A reflection of this neutral gives us a [T] v.r. 

The interpretation of global variables is the most interesting. When uf is 
referred to at layer 1, we are evaluating some code and turning it into a program, 
i.e. running it. We retrieve the code by looking up u in ø, and continue the 
evaluation at layer 0 with an environment obtained by evaluating 6. Notice that 
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the layer decreases so the interpretation is well-founded regardless of the size 
of o(u). The evaluation of a local substitution recursively evaluates all terms in 
the local substitution. If we refer to u? at layer 0, then u should stay neutral. 
Moreover, the evaluation function is required to return a natural transformation. 
Both requirements lead to the interpretation of global contexts as Hom set of 
GW at layer 0, since a weakened global variable is still a global variable and 
neutral. We first normalize 6 by evaluating and then reifying it ile. r) and 
obtain a [T] v.r by reflection. Last, reification, reflection and evaluation are all 
natural transformations: 


Lemma 6 (Naturality). [fy;7:W;I’ => Y;r, 


— ifa € [T] wr, then Y'y;r (a)l; T] =r (aly 7); 
= ifv € Ne'y.r, then oer w); 7] =f (ols 7); : 
— if; Ari t:T ando;p € [9; Al'v;r; then [i 'v;r (0; p) [hT] = [tv r (a; e)[y3T])- 


The NbE algorithm is given by composing the interpretations: 


Definition 1. A normalization by evaluation algorithm given Y; I Hı t:T is 


nbe'y.p(t) ; Nfr 
nbe'p;r(t) =V0.r (Lv. 0") 


where t¥i"e [¥:I]'v.r is a tuple of the identity global substitution and the 
identity environment. 


This algorithm is correct due to the following two theorems: 


Theorem 1 (Completeness). Jf ¥; it~ t :T, then nbe'y.r(t) = nbe'y.r(t’). 
Theorem 2 (Soundness). If Y; I Hı t:T, then Y; rhi ta nbe\y.r(t) eh 


The completeness theorem states that equivalent terms have equal normal forms, 
so we can compare the syntactic equality between normal forms to decide whether 
two terms are equivalent. The soundness theorem states that a well-typed term 
has and is equivalent to its normal form. Notice that the theorems are about 
layer 1 because only terms at this layer compute. In the remainder of this sec- 
tion, we outline only the soundness proof. For complete details, please refer to 
our technical report ; 


4.3 Soundness 


The soundness theorem is established via gluing models, which relate syntactic 
terms with semantic values. In our 2-layered system, we need two layers of gluing 
models, which reflect the fact that we are actually operating in two languages. 
For a gluing relation R, we write a ~ b € R to denote (a,b) € R. 
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Layer-0 Gluing Model We begin with the gluing model for natural numbers. 
It recursively relates a term t and a normal form of type Nat. This gluing relation 
applies for both layers: 


W: IT +, tx succ t : Nat 
W; T Hı t & zero : Nat t ~ w E Nat wer W: r Htv: Nat 


t ~ zero € Nat y.p t ~ succ w € Nat y.p t~ vE Nat yr 
At layer 0, for all T wf°, its gluing model is: 


(1)%p.p E Exp x [Dvr 

(Nat): r := Nat y;r 
(S — T)%.r = {(t,a) |Vy7: 8; A = Y; T, s ~ b € (S)°%;4 - 
tiy; T] s ~ aly; T, b) € (T)%s;a) 


(T)° does not have a case for O due to T wf°. The function case requires that the 
results of function applications remain related for all weakenings and all related 
arguments. The gluing between local substitutions and evaluation environments 
ô ~ p € (A)%y.r is defined by using (T)° to relate terms and values pairwise. 


Definition 2. We define the semantic judgment at layer 0: 
WD l-o t: T :=V y: Ë = Y and ô ~ p € ()G,4-th[4) ~ ilsa; p) € (TY, 


The semantic judgment at layer 0 only universally quantifies over global weak- 
enings. 


Layer-1 Gluing Model The reason why we must define the layer-0 gluing 
model first is that we refer to W; I lkg t : T in our layer-1 model. The semantics 
of O(A F T) is given in terms of the semantic judgment at layer 0: 


Y; IT F ta box s:O(AFT) Y; Altos: T WC, txv:O(AFT) 
t~ box s €O(AFT) yr trwve (AFT) gr 


In the first rule, t is related to box s and s is a semantically well-typed term 
at layer 0. The premise W; A lg s : T is necessary when we prove the semantic 
typing rule for letbox. Without it, we will not able to maintain the semantic 
well-formedness of global substitutions during evaluation and in the semantic 
judgment at layer 1. The details are in our technical report. The gluing model 
at layer 1 for T wf! is now defined as: 


(Tvr C Exp x IT] VAN 
(Nat) 'y.p := Nat g;r 
(O(Ar T) zr :=0(AF T) Yr 
r ={ t,a) [YT : ®; A = Y; I s~ bE (S)'s.a - 
tly;7] s ~ alq; T, b) € (T)'s,a} 


Compared to the layer-0 model, the layer-1 model only has an extra case (O(A H 
T))*. The other two cases are just the same: 
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Lemma 7. [fT wf®, then (T).r = (Tgr. 
This lemma semantically describes the matryoshka principle, witnessing the sub- 
sumption of layer 0 into layer 1. The semantic judgment at layer 1 is universally 
quantified over a semantic global substitution defined below: 
Y wt? Vito: WI lbot:T 
Wilke: Wik o,t/u:®,u:(CET) 


We define the semantic judgment at layer 1: 
0; irit:T:=VOl-o:W and ô ~ p € (I) 'a,a- to] [5] ~ [4] 's.a(05 p) € (Tsa 
The fundamental theorem is established by proving all semantic typing rules: 


Theorem 3 (Fundamental). If Y; Ir Fit:T, then W;I \by t:T. 
IfU;P Md: A, then Y; r lh; ô: A. 


5 Supporting Pattern Matching on Code 


In the previous section, we have achieved feature T) and partly feature @). In 
this section, we extend the previous system with pattern matching on code, 
so all features are concluded. We adapt the presheaf model and show that the 
normalization algorithm remains complete and sound. We introduce a creative 
semantics in the soundness proof in order to justify pattern matching on code. 


5.1 Extension of Pattern Matching 


In this section, we extend our previous 2-layered modal type theory with pattern 
matching on code as follows. 


— 
s,t := +--+ | match ¢ with b (Terms, Exp) 
b := var, >t|zero>t|succ?ust|Av?u>t|?u?u st 
| recy ?u (x y.?u’) Pu” >t (Branches) 


We extend the system with another elimination form of O(I + T), pattern 


matching (match t with TI where 6 is a list of all possible branches of t. The 
branches only need to match terms in STLC because pattern matching is only 
available at layer 1 and the scrutinee is code from layer 0. We do not directly 
support nested patterns like (Ay.?u) ?u’ to keep the system simple, but they can 
be encoded as nested pattern matchings. Supporting any useful general recursor 
(e.g. [£7]29]) would require context variables, which abstract over local contexts, 
and type polymorphism. We see these extensions orthogonal to layering and 
leave it to future work. 

Further modifications to the typing and equivalence rules are in Fig. [6] We 
omit the case for rec for conciseness. The typing rule for match uses the judgment 
vrk ọ : AFT => T. This judgment enumerates all possible branches based 
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W;0'+;,t:T | Term t has type T in contexts ¥ and I at layer i where i € [0, 1] 


iP, s:C(AKT) Phi 6: AKTST 
W: IF, match s with ET 


W;0'ib: AHT >T | bisa branch of type T’ w.r.t. a code of type T open in A. 


Avf’ z:TEA V:r hit: T A wf’ W:D by, t: T 
W: IT Fi vars t: AFT >T v: IT Fy zero >t: AF Nat T 
Y, u: (AF Nat); I Hi t: T Yu: (Ae: 9H T); I hit: T 
Y: I F succ ?u >t: AF Nat > T W: Fi Aw.Pust: At S— T> T 


V Swf. Y, u: (ALS — T), u : (4AF S); rhit: T 
V: IT H1?u ?u’ t: AFT> T 


W;0bitxt’:T]| Terms t and t are equivalent (8 rules for match) 


x:TEA vrh bs ALPS? B (2) = vate > t 
P: T H match box z with b ~ t: T 


=> > 
wr, b: AF Nat >T b (zero) = zero => t 
W; I’ Hı match box zero with id xt: T 


W; A Fo s : Nat V: rH b: AKNat > T B (succ s) = suce ?u > t 


W; I Hı match box (succ s) with rae t[s/u] : T” 
7 


PA: Sos: T wry YAKS TST (Ax.s) = Av.?u > t 


Y; I Fy match box (Ax.s) with rae t[s/u] : T’ 
rf 


Abt: S37 P AFos:S BPH PeALT ST Bits) =u te’ >t 
Ww; I Fy match box (t s) with ree t[t/u, s/u’]: T” 


Fig. 6: Adjusted rules with contextual types 


on the type of the scrutinee. This guarantees coverage of pattern matching, i.e. 
that b is indeed a list of all possible branches for a given scrutinee of type 
(AFT). 

All typing rules for individual branches are similar. For example, if the pat- 
tern is Ax.?u, then u captures the body of some A. The branch body t is checked 
with u bound to (A,x : S H T), which has a larger local context than A which 
we begin with. If the branch matches a function application, our premise requires 
t is well-typed for all S wf°. This universal quantification should be read as a 
higher-order derivation that applies for all S wf? (see also [60]) and where we 
keep S abstract as a parameter. 

The bottom of Fig. [6] are the @ rules for pattern matching. Based on the 
structure of the scrutinee, we dispatch to the right branch and propagate instan- 
tiations for pattern variables via global substitutions to the bodies. Notations 


like b (succ s) denote the lookup of b based on a given shape. For example, 
Se 
b (succ s) = succ ?u = t means that we look up succ s in b, and find the 
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branch succ ?u = t. Then s is meant to substitute u in t. This lookup is guar- 
anteed to succeed because Y; 0, b : AF T T is covering. 


5.2 Neutral Forms 


Careful readers might have noticed that in our grammar of branches, we do not 
have a case for global variables, nor do we have a 8 rule for pattern matching 
on box u. So what should match box u with b be reduced to? The answer 
might be surprising: this term in fact is blocked. Previously, we mentioned a 
concern about isapp raised by Kavvos [33]. His subsequent analysis concludes 
that sound intensional operations can only act on globally and locally closed 
code. This restriction is clearly too strong. After looking into the analysis, we 
see that this conclusion is based on the assumption that intensional operations 
reduce on box uf, which leads to the strong restriction. match box uf with rn 
should not reduce, just for the same reason match x with b should not. They are 
both waiting for substitutions to supply an actual code to unblock the evaluation. 
Their only difference is that they act on different substitutions. This observation 
leads to a renewed definition of neutral forms: 


--. | match v with 7 | match box uf with 7 (Neutral form (Ne)) 
ri= Vary, > w | zero => w | succ ?u > w | àx.?u > w | ?u Wu > w 
[recy ?u (x y.?u’) lu” > w (Normal branches) 


The definition of normal forms, described by w, remains the same. To obtain 67 
normal forms, all branches should be normalized. If u is a scrutinee of a match, 
its local substitution stays as is because it is considered as code. This adjustment 
is subtle but critical to give a sound presheaf model. 

Moreover, notice that letbox u + box u’ in t does not get blocked. This 
difference in computational behaviors is due to different purposes of two elimi- 
nation forms. letbox is primary for code composition and the execution of code, 
while pattern matching focuses on intensional analysis of code. For this reason, 
we include both letbox and pattern matching as elimination forms. They coex- 
ist perfectly at layer 1 because our core theory at layer 0 is unaffected. Without 
layering, both letbox and pattern matching are available everywhere, includ- 
ing inside of box, which causes all sorts of complex interactions and makes the 
computational behavior of the whole type theory difficult to control. This is why 
former systems based on [I7] are so difficult to extend with intensional analysis 
in a controlled manner. Now we have introduced pattern matching on code and 
achieved feature (8) outlined in Sec. |1| In the rest of this section, we fix the 
normalization proof and justify that this system is a proper type theory. 


5.3 Adjusting the Presheaf Model 


Since we only add an elimination form, we simply extend the model in Sec. 
The adjustments are shown in Fig.|7] Two additional functions are defined: first, 
the match function dispatches evaluation to the proper branch based on the 
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input code and evaluates the body with a global substitution and an evaluation 
environment; second, nfbranch normalizes the body of a branch and obtains a 
normal branch. Applying nfbranch to F normalizes all branches in F. nfbranch 
is invoked when we normalize a pattern matching on some neutral code. 

Let us consider the match case. We first evaluate the scrutinee. If the result is 
a neutral term, then we simply invoke nfbranch to normalize all branch bodies, 
and then use reflection to obtain a |T] y;r. Each case in nfbranch proceeds 
similarly. The evaluation of the body continues with the global substitution 
extended with pattern variables. The evaluated body is then reified to a normal 
form and thus the resulting branch is also normal. If the result is box s, then we 
match the code s accordingly with a branch and evaluate the body. This is done 
by calling the match function. Based on the shape of s, the match function looks 
up b and extends o accordingly before evaluating the body. For example, if s 
is a A, then the branch Agx.?u = t is picked, and t is evaluated. The lookup of 
7 must succeed because our pattern matching is covering. However, if s is just 
a global variable, based on the previous discussion on neutral forms, we must 
block the evaluation and only normalize the branches. The case forms a neutral 
form and is essentially the same as if the scrutinee is evaluated to a neutral. 

The presheaf interpretation gives a semantic explanation of how layering 
enables sound pattern matching on code and why it is difficult in purely ho- 
mogeneous systems. A term of type O(I F T) has two different uses: it either 
stands for code that will be run (due to letbox) or it stands for code that will 
be analyzed (due to pattern matching). In the former case, it is evaluated to a 
natural transformation in the semantics while in the latter, only its syntactic 
information is needed. Moreover, these two uses are not mutually exclusive. A 
program might use both semantic and syntactic information of the same code. 
To support pattern matching on code, we must maintain both semantic and 
syntactic information and therefore the evaluation of code must be postponed. 
In our setting, this evaluation only happens when we evaluate a global variable 
at layer 1. The evaluation function evaluates the code represented by the global 
variable and maintains its well-foundedness by decreasing the layer from 1 to 0. 
Meanwhile, in a homogeneous system without layers, it is no longer clear how 
to give a well-founded evaluation of a global variable due to the lack of proper 
measure if intensional analysis is supported. 

As we will see very shortly, the intuition above based on two different uses of 
code must be formalized in the gluing model in order to establish a soundness 
proof, giving a formal account for the importance of layering. 


5.4 Soundness 


Recall that in Sec. we need a 2-layered model, where the layer-1 model refers 
to the semantic judgment at layer 0 to support letbox. The semantic judgment 
at layer 0 is defined as a universal quantification over global weakenings and the 
gluing between local substitutions and evaluation environments: 


Y; Pleo t: T := Y y : P =>, Y and ô ~ p € (I)'5,4 -tHe ~ Ilsa (0; P) € (TVS, 


; 
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a Hir : 9; Abit: T> I8; A]'v.r > [T] v;r (Evaluation) 

[match ¢ with oD er: p) := match(s, b ) w;r(o3;p) (if [¢]'v.r(o; p) = box s) 
[match t with b ]'y.r(o;p) :=tz;r (match v with 7) 

(if [¢]’v.r(o; p) = v : O(4' F S) for some A’ and P := nfbranch( b ) w:r(o; p)) 

match: Y; Ho t: T>; Ahı b: A HT >T > [6A] rr > [T] e;r 

(Branch Evaluation Based on Code) 


T 


match(z, 8) vr(o3p) = [éV'x.r(o;) (where z > t:= b (2) 
match(zero, b ) w:r(a;p) := [t] v.r (c; p) (where zero = t := b (zero) 
> T > 
match(succ s, 4) vrlo; p) := [fl v;r (0, s/u;p) (where succ ?u > t := b (succ s) 
match(Az.s, b ) v;r(0; p) := [t] v.r (0, s/u; p) (where Az.?u > t := b (Ax.s) 
=> > 
match(t’ s, b) vro; p) := [t]'v.r(o,t'/u, s/u;p) (where ?u ?u' > t:= b(t s) 
match(u?, b ) s:r (0; p) =tr (match box u? with 7) 
(where 7 := nfbranch(b ) v;r (0; p) 


nfbranch : 8; Abi b: A FT >T > [G;A]y.p >Y; Thr: A ET ST’ 
(Normalization of A Branch) 
nfbranch(x => t) v;r (0; p) := x£ =e ([¢] vero; p)) 
nfbranch(zero => t)w,r(o; p) := zero Siop ([¢]‘v.r(o; p)) 
nfbranch(succ ?u > t)w;r(o; p) := 
succ ?u =F (Aij SP (El Vyus(Atenat), 2 (05 u /u; p’) 
(where (07; p') := (0; p)[p(id); id] € [8; A] o uçar): r 
nfbranch(Ax.?u => t) v;r (0; p) := 
Ax.?u SJP u(A SED) P (iel rua ashe h0’ u” /u; p’) 
(where x: 8 and (o; p’) = (a; p)[p(id); id] € [9; A] PaA sATA 
nfbranch(?u 2u = t) vir(o; p) =?u W Vp (M'oro, u /u, u"! u; p’)) 
(for any S wf’, where W’ := Y, u : (A'E S — T’), u : (A'E S), 
(and (0'; p') := (a; p)[p(p(id)); id] € [8; A] yr 
Fig. 7: Adjustments to the presheaf model 


This definition taken from Sec. unfortunately, cannot support the semantic 

rule for pattern matching. Consider some W; T |F9 t s : T. To prove that pattern 
matching on code is semantically sound, we perform an analysis on the structure 
of t s. But we are stuck, because we cannot derive VW; I IFoo t: S — T or Y; I lFo 
s : S for some S. In general, the semantic information of subterms is lost. To 
support pattern matching on code, our semantic judgment must maintain both 
the syntactic structure of the code and the semantic information of all subterms. 
Therefore, our semantic judgments at layer 0 become inductively defined (Fig. B). 
These rules are essentially just the typing rules with some extra Y; I IFo t: T 
premises. The inductive definition makes sure that the semantic information for 
all subterms are maintained. 

Finally, we refer to W; I’ lFo t : T when we define the gluing relation for 
(T H T) at layer 1. This allows us to inspect the syntactic structure of t 
during an evaluation of pattern matching and access its semantic information 
at the same time. We refer readers to our technical report for the proofs of 
the semantic rules for pattern matching. At layer 1, we use the new semantic 
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Wwt? wt V:i: A WC ikot:T Wwf? Tuf’ 
Y: I |lko-:> W;T lFo ô, t/z : A,x: T W;T |Fo zero : Nat 
Y; T lFo t : Nat Wwt? Twf Y; T iro 6: A 
W; T |Fo succ t : Nat z:Ter u:(AFT)EW Y; riou’ :O(4FT) 
Y; T \ko succ t : Nat YT iko x: T W;T lko uo : O(A FT) 
Wi D,a:Slkot:T W: T lho t: S — T 
W; I |Eo Ant: S — T Y: I lho s: S WI \IFots:T 
W; I lho Az.t : S — T WT lot s:T 


Fig. 8: Layer-0 semantic judgment 


judgment Y; I |ky t: T at layer 0 to define the semantic judgment for global 
substitutions ® I- o : W, and then define the semantic judgment for terms and 
local substitutions: 


Y; T Ih t:T:=V 8; T lko o : Y and ô ~ p € (I)'s.a- 
tlo; 6] ~ [t]'s;4a (0; p) € (T's; 
Yr Ih F: A = VY OT IFoo: Y and ô ~ p E (I)’e.a.- 


d[o] oô ~ [0’]'s,. (0; p) = A')s;a 


By proving and then instantiating the fundamental theorems, we obtain the 
soundness proof. 


6 Future Extensions to Layered Systems 


We have shown that 2-layered modal type theory supports intensional analysis 
and retains normalization. In this section, we build on our previous development 
and describe three possible extensions of layered systems as future work. 


6.1 Extending to Complex Type Systems 


In this paper, so far we only focused on simple types. Layering, however, is a 
powerful idea that, we believe, scales naturally. A natural extension is to con- 
sider System F, the foundation for many practical programming languages like 
Haskell and ML family, as the core language. Haskell and ML communities have 
expressed strong interest in meta-programming [49595818485153] etc.]. Layer- 
ing provides a simple solution to this problem. In 2-layered System F, we replace 
validity of types with well-kindedness of types: ¥; I H; T : x. Following the ma- 
tryoshka principle, at layer 0, we operate in System F, while at layer 1, we work 
in a meta-language extending System F with one layer of O. We hope that 2- 
layered System F not only guarantees the well-scopedness and well-typedness of 
code, but is also normalizing, following our development here. 

Besides System F, we are also interested in using Martin-Lof type theory 
(MLTT) as the base language. 2-layered MLTT would provide a foundation for 
tactic languages and meta-programming in proof assistants like Coq, Agda and 
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Lean. Following our previous development, we expect that 2-layered MLTT en- 
ables (1) the reuse of all definitions from layer 0 at layer 1, and @) the guarantee 
of well-scopedness and well-typedness of all code. Since in MLTT types are also 
terms, we simply reuse contextual types O(I" + Type) for code of types. 

One challenge we expect from extending MLTT with layering is the semantics 
of code. For example, when we pattern match on code t : (Ax.x) Nat, we expect 
that the type is reduced to Nat. That is, (Av.x) Nat and Nat as types are con- 
sidered the same even for code. We effectively take quotient of code over types. 
This behavior aligns well with quotient inductive-inductive types (QIIT) [B16] 
and we expect QIIT to appear in the semantics in some form, but we leave the 
detailed investigation as future work. 


6.2 Extending Power of Layer 1 


Though pattern matching allows inspection of code, not all operations can be 
defined easily in this way. For example, the weak head normal form reduction 
(whnf) on a term is not defined by a simple structural recursion on the syntax 
of the term. In 2-layered modal type theory, we can extend a whnf operation at 
layer 1 and still maintain normalization. The following are the rewrite rules for 
whnf and we can extend our previous normalization algorithm in Sec. [5] with a 
rewrite process [90]: 


whnf (box zero) ~> box zero whnf (box (succ t)) ~> box (succ t) 
whnf (box (Ax.t)) ~ box (Ax.t) whnf (box ((Ax.t) s)) ~ whnf (box (t[s/2])) 
whnf (box t) ~> whnf (box t’) 


hnf (b b 
whnf (box x) ~> box a whnf (box (t s)) ~> whnf (box (t s)) 


whnf does not go under succ or À and is only available at layer 1. Both local and 
global substitutions simply propagate under whnf. The rewrite process repeats 
these rules until no rule matches. This process will terminate due to the strong 
normalization of STLC and therefore the whole system remains terminating. 
However, with global variables, we must apply extra care to maintain conflu- 
ence and eventually normalization. In Sec. we discuss the impact of global 
substitutions and the necessity of their stability. When we extend layer 1 with 
another operation, we must also make sure that this extended operation is stable 
under global substitutions. When whnf encounters a global variable in the head 
position, such as whnf(box u?) or whnf(box (u? s)), there is no matching rule 
and the rewrite process stops for the same reason for pattern matching stopping 
for box uf. The lack of a reduction rule when a global variable is in the head 
position is particularly important. With whnf, we can now simplify a term before 
matching, which is a very useful and typical tactic in proof assistants: 


match box ((Ax.x) zero) with | zero = true | _ = false ~ false 


match whnf (box ((Ax.x) zero)) with | zero = true | _ => false ~ true 


Due to layering, whnf only needs to consider terms in STLC at layer 0. In a 
homogeneous system, whnf must apply to all possible code, and thus becomes 
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troublesome to define. This extensibility of layer 1 is an important and useful 
feature for a foundation for meta-programming in proof assistants. 


6.3 Extending to More Layers 


Another potential of layering is to generalize the 2-layered system to n layers for 
a fixed n > 2. Scaling to n layers is in fact technically detailed, but conceptually 
simple. We sketch the process briefly here and leave the details as future work. 

In a layered system, terms are type-checked in a context array. For an n- 
layered system, this context array has length n: 


Ina SL lo be tt: T or TtT where 7 € [0,n — 1]. 


We now use x,y to range over variables in all contexts. Each context in the 
context array contains bindings of a fixed shape. Bindings in Io are x : T. 
Bindings in T; for i € [1,n— 1] are of the shape x : (Aj_1;--- ; Ao F T). Bindings 
in each A; also have the specified shape. Contextual types are generalized to 
context arrays: O(A;_1;--- ; Ap F T). The design of a n-layered system is guided 
by two principles: the matryoshka principle, which says types and terms at lower 
layers are subsumed by higher layers, and the static code principle, which only 
terms at layer n — 1 compute. Particularly, the latter principle means that terms 
from layer 0 to n — 2 are static code. Following both principles, we will be able 
to fill in the details and design an n-layered system. 

We expect the n-layered generalization to be compatible with the extension 
with operations described in Sec. Instead of extending layer 1, we extend 
layer n — 1 so that all lower layers are unaffected. 


7 Related Work and Conclusion 


7.1 Normalization of Modal Type Theories 


The core of our paper is the normalization of 2-layered modal type theory. Re- 
cently, there have been a number of approaches that explore modal type theories. 
One of the earliest is from Nanevski et al. [39]. They prove the normalization for 
contextual modal type theory (CMTT) indirectly by a translation to the system 
by de Groote [23]. This translation does not give a direct normalization algorithm 
for CMTT. Our system in Sec. [3] is strictly weaker than CMTT by disallowing 
nested Os. Even if we scale our system to n layers as outlined in Sec. the 
resulting system will only have a hierarchy of contextual types, so we still cannot 
recover the same expressive power as CMTT to do arbitrary nesting of Os. Nev- 
ertheless, in Sec. |5| we have shown that this temporary loss in expressive power 
enables an orthogonal avenue of intensional analysis that is difficult to obtain 
in CMTT. Kavvos [32] proposes formulations for a few different modalities in 
the dual-context style and proves the normalization using a translation to de 
Groote’s system as well. The normalization of System GL, however, is proved 
directly by reducibility candidates. Lately, Gratzer [20] proves the normalization 
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of multimodal type theory, a generalization of the dual-context systems, using 
Sterling’s synthetic Tait’s computability. 

The Kripke-style systems are another kind of formulation of modalities and is 
different from ours in context management. The normalization problem for this 
style is more intensively investigated. Borghuis proves the strong normaliza- 
tion of modal pure type systems in his PhD thesis. More recently, Clouston 
proves the normalization of System K using reducbility candidates. Gratzer et 
al.[22] prove the normalization of a dependent type theory with idempotent S4 
by parameterizing Abel’s [I] untyped domain method with a poset. Valliappan 
et al. use the same method and prove the normalization for Systems K, 
T, K4 and S4. Hu and Pientka establish the same result but introduce a 
“truncoid” algebraic structure to the untyped domain model instead, so that 
one normalization proof can be instantiated to adapt to all four systems. This 
method using truncoids has been scaled to dependent types [25]. It is worth 
emphasizing that none of these modal type theories supports pattern matching 
on code as we do in our 2-layer modal type theory. 


7.2 Homogeneous Meta-programming and Its Foundations 


Early ideas of metaprogramming using quasi-quoting style can be traced back 
to Lisp/Scheme [3]. In Lisp’s untyped setting, all programs are represented as 
lists, so intensional analysis is reduced to inspections of lists and is relatively 
simple. Supporting type-safe metaprogramming leads to all the complications. 
MetaML is an early example for type-safe meta-programming. MetaML em- 
ploys a quasi-quoting style similar to Lisp. However, MetaML does not support 
any form of intensional analysis. In fact, MetaML’s meta-theory even allows re- 
duction of code under quote [52], so intensional analysis is deliberately avoided. 
The correspondence between meta-programming and modal logic S4 is described 
by Davies and Pfenning [17]. The correspondence explains how the modal logic 
S4 models multi-staging and code composition, but it does not explain how in- 
tensional analysis should be supported. Two formulations of S4 are presented: 
the dual-context style and the Kripke style. While the Kripke-style formulation 
provides a type-theoretic formulation for quasi-quotation, it is more challenging 
to extend and support intensional analysis. On the other hand, the dual-context 
style forces programmers to write meta-programs in a comonadic style, but it 
has better setup for intensional analysis as we have demonstrated. This is also 
the approach taken in Beluga [43/45] and Moebius [30]. 

The semantics for dual-context style has also been studied previously. In the 
context of contextual types, Gabbay and Nanevski attempt to give a set- 
theoretic semantics to contextual types. As pointed out by Kavvos [83], their 
exact formulation of contextual types seems to break the confluence property. 

Boespflug and Pientka [12] extend the dual-context style to the multi-context 
style. Though the multi-context style and the Kripke style both use multiple 
contexts for typing, the number of contexts in the former is more or less fixed 
(hence context arrays), while in the latter, contexts are often pushed and popped 
during typing (hence context stacks). Davies and Pfenning [I7] show that the 
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Kripke style system is equivalent to the dual-context style. Moebius [80] combines 
the multi-context style and contextual types, and supports pattern matching on 
code in System F. Moebius has subject reduction. However, to adapt Moebius to 
a type theory, normalization must be proved, but it is not obvious how to support 
coverage. Whether layering provides a solution requires a future investigation. 

Qmega is another example for a sound meta-programming system with 
pattern matching on code. mega implements the quasi-quoting style. The open 
context of a code is annotated in the type, similar to contextual types. However, 
the type of the code itself is not remembered, so their type system is not as 
complex due to reduced type information. 


7.3 Intensionality in Type Theories 


Interest in intensionality is often associated with modalities. Pfenning [41] de- 
scribes a type theory in which terms might be treated intensionally, extensionally, 
or irrelevantly when corresponding modalities are employed. This is similar to 
our setting, where intensionality of code is marked by the O modality. In the 
same setting, Kavvos [33] describes a special kind of intensional recursions using 
Lob induction ((A.A — A) > A), which supports meta-programs to access their 
own code. Löb induction says if we can prove A from the proof of A, then A is 
true. Löb induction is incompatible with the Axiom T (OA > A), but it still has 
interesting computational behaviors, including an example for computer viruses. 
Chen and Ko resolve the incompatibility between the Lob induction and the 
Axiom T by supporting them in two separate modalities. 


7.4 Layering in Type Theories 


Layering can also be found in other type theories. Logical Framework (LF) [24] 
is essentially a layered system. LF is a dependently typed framework to define 
object languages. These object languages live at one layer. LF as their meta- 
language live at a higher layer. Isabelle [40] is one example for modern proof 
assistants based on LF. There are two layers in Cocon [47]. At the lower layer 
is LF, which defines an object language. At the higher layer is a Martin-Lof 
type theory (MLTT) for computation. Two layers are connected by contextual 
types. Cocon supports induction in MLTT on the syntax of an object language 
in LF. Cocon’s structure leads to a similar semantics to our 2-layered modal 
type theory. The main difference is that in 2-layered modal type theory, the core 
language at layer 0 is a sub-language of the computational language at layer 1. 
Consequently, all terms at layer 0 can be lifted to layer 1 (Lemma 3) for free and 
be run as programs. The conversion from code to programs is done implicitly in 
the semantics. Contrarily, in Cocon, since the object language is defined freely, 
an embedding to MLTT must be given explicitly and is only possible if the 
object language has strictly weaker expressive power. A categorical semantics 
for Cocon is given by Hu et al.[46]29]. Kovacs [36] and Allais [4] demonstrate 
applications of 2-level type theory which focuses more on code composition and 
does not support intensional analysis. 


Layered Modal Type Theory 77 


Our system uses layers to account for the number of nested L1’s, which shares 
some similarity with graded and quantitative systems |8[2]38]. The latter sys- 
tems use grades to keep track of uses of variables. We believe that it would be 
interesting to have a universal framework to contain all these different uses of 
modalities, though it requires further investigations. 

Our approach is also similar to GuTT , a guarded type theory supporting 
Löb induction. GuTT has two layers. The first layer excludes dynamics of Löb 
induction (but not for other terms) and enjoys normalization. The lost dynamics 
is recovered at the second layer, at the cost of normalization. We are similar in 
that we both take advantage of differences between layers and one layer is the 
extension of the other. 


7.5 Conclusion and Future Work 


In this paper, we introduce the layered style to support intensional analysis in 
type theory. In the layered view, meta-programming is done in an extended lan- 
guage of a chosen core language. Pattern matching on code at a higher layer 
only needs to handle code at lower layers, hence circumventing the complica- 
tions in previous work. We investigate the layered style in 2-layered modal type 
theory, which supports pattern matching on code where we guarantee coverage 
by construction. We provide a constructive proof of normalization by evaluation 
using a presheaf model. The normalization algorithm extracted from the model 
is proven complete and sound and is implemented in Agda. 

Layering provides a controlled and modular way to introduce meta-program- 
ming with intensional analysis to type theory. As a first step, we plan to add 
context abstraction following the approach taken for example in Beluga to sup- 
port more general recursion principles [43]44]. We see abstracting over contexts 
as an orthogonal issue. As a next step, we will adapt layering to Martin-Léf type 
theory (MLTT). Both extensions will create the first dependent type theory that 
is supporting intensional analysis of code within MLTT. In the long term, we 
hope that this type theory will also provide a foundation for extending the core 
language of Coq, Agda, or other proof assistants with a meta-language of tactics 
that can reuse all definitions from the core language while the normalization of 
the overall system is retained. 
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Abstract. Graded type systems are a class of type system for fine- 
grained quantitative reasoning about data-flow in programs. Through 
the use of resource annotations (or grades), a programmer can express 
various program properties at the type level, reducing the number of ty- 
peable programs. These additional constraints on types lend themselves 
naturally to type-directed program synthesis, where this information can 
be exploited to constrain the search space of programs. We present a syn- 
thesis algorithm for a graded type system, where grades form an arbitrary 
pre-ordered semiring. Harnessing this grade information in synthesis is 
non-trivial, and we explore some of the issues involved in designing and 
implementing a resource-aware program synthesis tool. In our evalua- 
tion we show that by harnessing grades in synthesis, the majority of our 
benchmark programs (many of which involve recursive functions over re- 
cursive ADTs) require less exploration of the synthesis search space than 
a purely type-driven approach and with fewer needed input-output ex- 
amples. This type-and-graded-directed approach is demonstrated for the 
research language Granule but we also adapt it for synthesising Haskell 
programs that use GHC’s linear types extension. 


1 Introduction 


Type-directed program synthesis is a technique for synthesising programs from 
user-provided type specifications. The technique has a long history intertwined 
with proof search, thanks to the Curry-Howard correspondence [87] [22]. We 
present a program synthesis approach that leverages the information of graded 
type systems that track and enforce program properties related to data flow. Our 
approach follows the concept of program synthesis as a form of proof search in 
logic: given a type A we want to find a program term t which inhabits A. We 
express this in terms of a synthesis judgement akin to typing or proof rules: 


TrAst 


meaning that the term ¢ can be synthesised for the goal type A under a context 
of assumptions I’. A calculus of synthesis rules for inductively defines the above 
synthesis judgement for each type former of a language. For example, we may 
define a synthesis rule for standard product types in the following way: 


TFrAst TFrFBSbt 
TFLAx B= (t,t) 


X INTRO 
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Reading ‘clockwise’ from the bottom-left: to synthesise a value of type A x B, we 
synthesise a value of type A and then a value of type B and combine them into 
a pair in the conclusion. The ‘ingredients’ for synthesising the subterms tı and 
t2 come from the free-variable assumptions I’ and any constructors of A and B. 
Depending on the context, there may be many possible combinations of as- 
sumptions to synthesise a pair. Consider the following type and partial program 
with a hole (marked ?) specifying a position to perform program synthesis: 


f:A> ASM ASM AxA fxyz=? 


The function has three parameters all of type A which can be used to synthesise 
an expression of the goal type A x A. Expressing this synthesis problem as an 
instantiation of the above x {yrro rule yields: 
w:A,y:A,z:AFASt t:A,y:A,z:AFA> by 
z:A,y:A,z:AFAx A> (t,t) 


X INTRO 


Even in this simple setting, the number of possibilities starts to become unwieldy: 
there are 3? possible candidate programs based on combinations of x, y and z. We 
thus wish to constrain the number of choices required by the synthesis algorithm. 
Many systems achieve this by allowing the user to specify additional information 
about the desired program behaviour. For example, recent work extends type- 
directed synthesis to refinement types [50], cost specifications [85], differential 
privacy [52], ownership information [16], example-guided synthesis and ex- 
amples integrated with types [47]. The general idea is that the proof search / 
program synthesis procedure can be pruned and refined given more information, 
whether richer types, additional examples, or behavioural specifications. 

We instead leverage the information contained in graded type systems which 
constrain how data can be used by a program and thus reduce the number of 
possible synthesis choices. Our hypothesis is that grade-and-type-directed syn- 
thesis reduces the number of paths that need to be explored and the number of 
input-output examples that are needed, thus potentially speeding up synthesis. 

Graded type systems trace their roots to linear logic. In linear logic, data is 
treated as though it were a finite resource which must be consumed exactly once, 
disallowing arbitrary copying and discarding [20]. Non-linearity is captured by 
the ! modal operator (the exponential modality). This gives a binary view—a 
value may either be used exactly once or in a completely unconstrained way. 
Bounded Linear Logic (BLL) refines this view, replacing ! with a family of in- 
dexed modal operators where the index provides an upper bound on usage [21], 
e.g., !<4A represents a value A which may be used up to 4 times. Various works 
have generalised BLL, resulting in graded type systems in which these indices 
are drawn from an arbitrary pre-ordered semiring [12] {19} [49] [I] [14] [5] [89]. This 
allows numerous program properties to be tracked and enforced statically. Such 
systems are being deployed in language implementations, forming the basis of 
Haskell’s linear types extension [8], Idris 2 [II], and the language Granule [45]. 

Returning to our example in a graded setting, the function’s parameters now 
have grades that we choose, for the sake of example, to be particular natural 
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numbers describing the exact number of times the parameters must be used: 
f: Æ> A> AP AxA fryz=7? 


The first A is annotated with a grade 2 meaning it must be used twice. The types 
of y and z are graded with 0, enforcing zero usage, i.e., they cannot be used in the 
body of f. The result is that there is only one (normal form) inhabitant for this 
type: (x, x). For synthesis, the other assumptions will not even be considered, 
allowing pruning of branches which use resources in a way which violates the 
grades. Natural number grades in this example explain how many times a value 
can be used, but we may instead represent different program properties such as 
sensitivity, strictness, or security levels for tracking non-interference, all of which 
are well-known instances of graded type systems [45] [I8] [I]. These examples are 
all graded presentations of coeffects, tracking how a programs uses its context, 
in contrast with graded types for effects which are not considered here. 

In prior work, we built on proof search for linear logic [25], developing a 
program synthesis technique for a linear type theory with graded modalities 
rA (where r is drawn from a semiring) and non-recursive types [27], which 
we refer to as LGM i.e., linear-graded-modal. We adapt some of these ideas to a 
setting which does not have a linear basis, but rather a type system where grades 
are pervasive (such as the core of Haskell’s linear types extension [8]) alongside 
recursive algebraic data types and input-output example specifications. 

We make the following contributions: 


— We define a synthesis calculus for a core graded type system, adapting the 
context management scheme of LGM to a fully graded setting (rather than the 
linear setting) and also addressing recursion, recursive types, and user-defined 
ADTs, none of which were considered in previous work. Synthesised is proved 
sound, i.e., synthesised programs are typed by the goal type. 

— We implemented both the core type system as an extension of Granule and 
implemented the synthesis calculus algorithmically|"| We elide full details of 
the implementation but explain its connection to the formal development. 

— We extend the Granule language to include input-output examples as specifi- 
cations with first-class syntax (that is type checked), which complements the 
synthesis algorithm and helps guide synthesis. This also aids our evaluation. 

— We evaluate our tool on a benchmark suite of recursive functional programs 
leveraging standard data types like lists, streams, and trees. We compare 
against non-graded synthesis provided by MYTH [47]. 

— Leveraging our calculus and implementation, we provide a prototype tool for 
synthesising Haskell programs that use GHC 9’s linear types extension. 


Roadmap Section [2] gives a brief overview of proof search in resourceful settings, 
recalling the ‘resource management problem’. Section [3] then defines a core cal- 
culus as the target of our synthesis approach. This type system closely resembles 
various other graded systems including the core of Linear Haskell [8]. 
We implemented this system as a language extension of Granule [45]. 


1 Available at: github.com/granule-project/granule/releases/tag/v0.9.3.0 
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Section|4] presents a calculus of synthesis rules for our language, showing how 
grades enforce resource usage potentially leading to pruning of the search space 
of candidate programs. We also discuss some details of the implementation of 
our tool. We observe the close connection between synthesis in a graded setting 
and automated theorem proving for linear logic, allowing us to exploit existing 
optimisation techniques, such as the idea of a focused proof [4]. 

Section [5] evaluates our implementation on a set of 46 benchmarks, including 
several non-trivial programs which use algebraic data types and recursion. 

Section [6] demonstrates the practicality and versatility of our approach by 
retargeting our algorithm to synthesise programs in Haskell from type signatures 
that use GHC’s linear types extension (which is a graded type system [8]). 


2 Overview of Resourceful Program Synthesis 


Section |1| discussed synthesising pairs and how graded types could control the 
number of times assumptions are used in a synthesised term. In a linear or graded 
setting, synthesis must handle the resource management problem [24] [13]: how 
do we give a resourceful accounting to the context during synthesis, respecting 
its constraints? We overview the main ideas for addressing this problem. 
Section [I| considered (Cartesian) product types x, but we now switch to the 
multiplicative product of linear types, which has the typing rule [20]: 


Ii -t:A In te:B 
I, I+ (t1,t2): A@B 


Each subterm is typed by different contexts, which are combined by disjoint 
union: a pair cannot be formed if variables are shared between I and I», pre- 
venting the structural behaviour of contraction where variables appear in mul- 
tiple subterms. Naively converting this typing rule into a synthesis rule yields: 


I,FAsSt In- BS bt 
ID, IF A8 B= (h, ta) 


QInTRO 


As a declarative specification, this synthesis rule is sufficient. However, this rule 
embeds a considerable amount of non-determinism when considered from an 
algorithmic perspective. Reading ‘clockwise’ starting from the bottom-left, given 
a context I and a goal A & B, we have to split T into disjoint subparts I and 
I> such that I = I, I> in order to pass I and Iù to the subgoals for A and 
B. For a context of size n there are 2” possible such partitions! This quickly 
becomes intractable. Instead, Hodas and Miller developed a technique for linear 
logic programming [25], refined by Cervesato et al. [I3], where proof search has 
an input context of available resources and an output context of the remaining 
resources, which we write as judgments [+ A =~ t | I” for input context T 
and output context I”. Synthesis for multiplicative products then becomes: 


DFAS t | Lb LEDS se 
IiF-A®Bs=> (ti, t2) | T3 ne 


Program Synthesis from Graded Types 87 


The resources remaining after synthesising the term t for A are I, which are 
then passed as the resources for synthesising the term of goal type B. There is an 
ordering implicit here in ‘threading through’ the contexts between the premises. 
For example, starting with a context x : A, y : B, this rule can be instantiated: 


c:A,y:BFA> a«ly:B y:B-B=> y| _ 
r:A,y:BFA® B= (x,y)| ARO (example) 


This avoids the problem of splitting the input context, facilitating efficient proof 
search for linear types. LGM adapted this idea to linear types augmented with 
graded modalities [27]. We call the above approach subtractive resource manage- 
ment due to its similarity to left-over type-checking for linear types [8] [54]. In a 
graded modal setting however this approach is costly [27]. 

Graded type systems, as considered here, have typing contexts in which free 
variables are assigned a type and a grade: an element of a semiring. For example, 
the semiring of natural numbers describes how many times an assumption can 
be used, in contrast to linear assumptions which must be used exactly once, e.g., 
the context z :2 A, y :o B says that x must be used twice but y cannot be used. 
The literature contains many example semirings for tracking other properties 
as graded types, e.g., security labels [I], intervals of usage [45], and hard- 
ware schedules [I9]. In a graded setting, the subtractive approach is problematic 
though as there is not necessarily a notion of subtraction for grades. 

Consider the above example but for a context with grades r and s on the 
variables. Using a variable to synthesise a subterm no longer results in that 
variable being ‘left out’ of the output context. Instead a new grade is given in 
the output context relating to the input with a constraint capturing the usage: 


rir +l=r tip Åy: BFAS al a:y A y:s B 
s.’ t1l=s tip AY: BE BS y|zriw Ay: B | 
T :r Áy :s BFA BS (a,y)| City A,y ts B Imo (example) 


In the first premise, x has grade r in the input context and æ is synthesised for 
the goal, thus the output context has some grade r’ where r’ + 1 = r, denoting 
a use of x by the 1 element of the semiring. The second premise is similar. 

For the natural numbers, if r = s = 1 then the above constraints are satisfied 
by r’ = s’ = 0. In general, subtractive synthesis for graded types requires solving 
many such existential equations over semirings, which introduces a new source 
of non-determinism as there can be more than one solution. LGM implemented 
this approach, leveraging SMT solving in the context of the Granule language, 
but show that a dual additive approach has better performance. In the additive 
approach, output contexts describe what was used instead of what is left. To 
synthesise a term with multiple subterms (e.g. pairs), the output contexts of each 
premise are added using the semiring addition applied pointwise on contexts to 
produce the conclusion output. For pairs this looks like: 


PRAS so. | Zu Pres @ | Ay Fi 
& 
rFAQ Bat (ti, t2) | A; + Ao ee 
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The whole of I’ is used to synthesise both premises. For example, for goal A ® A: 
tip ÅĀ y: BE AS 2 |e Aly ig B 
gi, ÅĀ Y: BhAS o@ | ey Alyy B ad 
oi, Ay, BEA QAS? (2,0) |e nag Ay BOO (example) 


Synthesis rules for binders check whether the output context describes use that 
is within the grades given by I’, i.e., that synthesised terms are well-resourced. 

Both subtractive and additive approaches avoid having to split the incoming 
context I” prior to synthesising subterms. In LGM, we evaluated both resource 
management strategies in a synthesis tool for a subset of Granule’s ‘linear base’ 
system, finding that in most cases, the additive strategy was more efficient for 
use in program synthesis with grades as it involves solving less complex pred- 
icates; the subtractive approach typically incurs higher overhead due to the 
existentially-derived notion of subtraction seen above. We therefore take the 
additive approach to resource management. 

LGM developed our approach for the linear A-calculus with products, coprod- 
ucts, and semiring-graded modalities. Here, we instead consider a graded calculus 
without a linear base but where all assumptions are graded and function types 
therefore incorporate a grade. Furthermore, our approach permits synthesis for 
user-defined recursive ADTs to address more real-world problems. 


3 Core Calculus 


We define a core language with graded types, drawing from the coeffect calculus 
of Petricek et al. [49], Quantitative Type Theory (QTT) [89] 5] and other graded 
dependent type theories (omitting dependent types from our language), the 
calculus of Abel and Bernardy [I], and the core of the linear types extension to 
Haskell [8]. This calculus shares much in common with languages based on linear 
types, such as the graded monadic-comonadic calculus of [18], generalisations of 
Bounded Linear Logic [I2] [19], and Granule [45] in its original ‘linear base’ form. 

Our target calculus extends the A-calculus with grades and a graded necessity 
modality as well as recursive algebraic data types. Parameterising the calculus is 
a pre-ordered semiring (R, *,1,+,0, E) where pre-ordering requires that + and 


x are monotonic wrt. C. Throughout r,s range over R. The syntax of types is: 
A,B:=A">B|O,A| KA|ux.A|X]a (types) 

K := Unit | @|@ (type constructors) 

T= VaT R. Å (type schemes) 


The function space A” > B annotates the input type with a grade r € R. The 
graded necessity modality O, A is similarly annotated/indexed with a grade r. 
Type constructors K include the multiplicative linear products and units, addi- 
tive coproducts, and is extended by names of user-defined ADTs in the imple- 
mentation. Constructors are applied to zero or more type parameters written A. 
Recursive types zX.A are equi-recursive with type recursion variables X. Data 
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constructors and other top-level definitions are typed by type schemes r (rank-1 
polymorphic types), which bind a set of kind-annotated universally quantified 
type variables @~ & à la ML [40]. Subsequently, types may contain type variables 
a. Kinds « are standard, given in the appendix [28]. 

The term syntax comprises the \-calculus, a promotion construct [t] which 
introduces a graded modality, data constructors (C tı ... tn), and elimination by 
case expressions with patterns p, where [p] eliminates graded modalities: 


t ::= x | Az.t | ti tə | [t] | Ch... tn | case t of pı > ti; ...; Pn > tn (terms) 
p=] | [p] | Cpi -pa (patterns) 


Example 1. In the type system (below), the k-combinator is typed as on the left: 


k: A! => BISA k' : (A x OB)" —> O,A 
k = Az. \y.z k' = Xp.case p of (x,y) > case y of [y'] > [z] 


On the right, an uncurried version uses graded modalities. The argument pair 
uses a graded modality to capture that the B part is not used. This graded 
modal argument is eliminated by the second case with pattern [y’] binding y’ 
with grade 0, indicating it is unused. The return result is of graded modal type 
with some grade r which is introduced by promotion [x]. Promotion propagates 
its grade to its dependencies, i.e., the parameter p must also have grade r. 

A useful semiring is of security levels [18}{1], e.g., R = {Private, Public} where 
Private C Public, + = A with 0 = Private, and * = V with 1 = Public. In the 
above example, the second argument to k would thus be Private. If the return 
result of k’ is for public consumption, i.e., r = Public, then the argument must 
also be public, with the private component B not usable in the result. 


Figure [I] defines the typing judgments of the form X; I F t : A assigning a 
type A to a term t under type variables X. For such judgments we say that t is 
both well typed and well resourced to highlight the role of grading in accounting 
for resource use via the grades. Contexts I" are given by: 


A, T :=0|D,2:, A (contexts) 


That is, a context may be empty É or extended with a graded assumption 7 :, 
A. Graded assumptions must be used in a way which adheres to the grade r. 
Structural exchange is permitted, allowing a context to be arbitrarily reordered. 
A global context D parameterises the system, containing top-level definitions 
and data constructors annotated with type schemes. A context of kind annotated 
type variables X is used for kinding and when instantiating a type scheme from 
D. Appendix A gives the (standard) kinding relation [28]. 

Variables are typed (rule VAR) in a context where the variable x has grade 1 
denoting its single use here. All other variable assumptions are given the grade 
of the 0 semiring element (providing weakening), using scalar multiplication: 


Definition 1 (Scalar multiplication). For a context I then r-I scales each 
assumption by grade r, where r-@=@ and r- (T, z :s A) = (r-T), 2 p.s A. 
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SEA: Ty a (x : VaTvR.A’) € D UE A=inst(va TRA) 
S0 Ira AFA D0- IFz: A i 
X; z: AFt:B SI, H:A™ >B [gk th: A 

ABS APP 
X; rF Aw.t: ATO B SI, +r-Ig¢tht:B 


Trt: A Pp UiT,e0:,A,l’Ft:B rl 
R 
X;r- L+H [ti]: O0,A Dga A,’ t:B 


(C :YaTR.Bi” >... 3 B,” > KA) ED 
Dt By >... B®” > KA =inst(VaTR. By" +... B,” > KA’) 


APPROX 


— CON 
X; 0- FO: B” >... Br > KA 
YT Ht:A Xr p: AoA; X; T, Ait: B c 
A 
Xr- I +I” F case t of pi > ti... pn tn: B Sa 
X; Ft: Al uX.A/X X; t:px.A KFt: A 
f prar] f a et TOPLEVEL 


SiPht:pX A " Soret: ApX.A/X]'? GORE: Va RA 


Fig. 1: Typing rules 


Top-level definitions (DEF) must be present in the global definition context D, 
with the type scheme Vaz R.A’. The type A results from instantiating all of the 
universal variables to types via the judgment X + A = inst(Va@z&.A’) in a stan- 
dard way as in Algorithm W [40]. Relatedly, the TOPLEVEL rule types top-level 
definitions with polymorphic type schemes (corresponding to the generalisation 
rule [40]). Reading bottom up, universally quantified type variables are added 
to the type variable context to form the type A of the definition term t. 
Abstraction (ABS) binds a variable z which is used in the body t according to 
grade r and thus this grade is captured onto the function arrow in the conclusion. 
Relatedly, application (APP) scales the context I of the argument term tz by 
the grade of the function arrow r since tz is used according to r in tı t2. To this 
scaled context is ‘added’ the context I of the function term, via + defined: 


Definition 2 (Context addition). For contexts I, I), then I, +I computes 
the pointwise addition using semiring addition (providing contraction), where: 
r+0=T (Ii, £ ir A) + (19,0:5 A) = (Ti + To), £ ir4s A 

(1,2: A) +I = (Ii +I), t: A if « Z dom(T>) 


For example, (x +; A, y :o B) +a 3 A = £ i41) 4, Y :o B. The operation is 
commutative and undefined if the type of a variable differs in two contexts. 
Introduction of graded modalities is achieved via promotion (PR rule) where 
grade r is propagated to the assumptions in I’ through the scaling of I" by r. 
Approximation (APPROX) allows a grade r to be converted to grade s provided 
that s approximates r as defined by the pre-order relation C. This relation is 
occasionally lifted pointwise to contexts: we write  C I” to mean that I” over- 
approximates I’, i.e., for all (x :, A) € I’ then (a: A) € I” and rE r. 
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StF A: Ty PV X;r-sF Fp: ABT PB 
Sirk a:AbaiA i X; rr- [p]: OA > F ox 
(C :VaTR. By" >... > B,” > KA) ED 
Db B” +... B® + K A = inst(VaTR. BY" >... B,” > K A’) 
Sq-rh pi: Bek |KA >1s1Er 
Dirt Cpm...pm: KART; 


PCON 


Fig. 2: Pattern typing rules 


Recursion is typed via the jz; rule and its inverse u2, in a standard way. 
Introduction of data types (CON) via a constructor C of a data type K A 
(with zero or more type parameters) incurs an instantiation of its polymorphic 
type scheme from D. Each argument has a grade q;. Constructors are closed, thus 
have only zero-use grades in the context by scaling with 0. Elimination of data 
types (CASE) is via pattern matching. Patterns p are typed by the judgement 
rFp:ABA (Figure [2) stating that pattern p has type A and produces a 
context of typed binders A. The grade r to the left of the turnstile represents 
grade information arising from usage in the context generated by this pattern. 
Variable patterns (PVAR) produce a singleton context with x :, A of the 
grade r. Pattern matches on data constructors (PCON rule) may have zero 
or more sub-patterns (p1...pn), each of which is typed under the grade qi- r 
(where q; is the grade of corresponding argument type for the constructor, as 
defined in D). Additionally, we have the constraint |K A| > 1 = 1 E r which 
witnesses the fact that if there is more than one data constructor for the data 
type (written |K A| > 1), then r must approximate 1 because pattern matching 
on a data constructor incurs some usage since it reveals information about that 
constructor. [?| By contrast, pattern matching on a type with only one constructor 
cannot convey any information by itself and so no usage requirement is imposed. 
Finally, elimination of a graded modality (often called unboxing) takes place via 
the PBox rule, with syntax [p]. Like PCon, this rule propagates the grade 
information of the box pattern’s type s to the enclosed sub-pattern p, yielding a 
context with the grades r- s. One may observe that PBox (and by extension PR) 
could be considered as special cases of PCON (and CON respectively), if we were 
to treat promotion as a data constructor with the type A” —> O, A. We however 
chose to keep modal introduction and elimination distinct from constructors. 


Example 2. Discussed early, the natural numbers semiring with discrete ordering 
(N, x, 1,+,0,=) counts exactly how many times variables are used. We denote 
this semiring as N=. This semiring is less useful in the presence of control-flow, 
e.g., for multiple branches in a case using variables differently. A semiring of 
natural number intervals is more helpful here. An interval is a pair of natural 
numbers N x N written r...s for lower bound r € N and upper bound by s € N. 
Addition is defined pointwise with zero 0 = 0...0 and multiplication defined as in 


2 A discussion of this additional constraint on grades is given by Hughes et al. [29] 
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interval arithmetic with 1 = 1...1 and ordering r...s E r.. =r’ << rAs<s'. 
This semiring allows us to write a function which performs an elimination on a 
coproduct (assuming inl: At + A@ B, and inr : B! > A@B in D): 


Deiim : (At >= C)®1 4 (B' 3 C)®1 = (AGB)! >C 
Pelim = Af.Ag.Ax.case x of inl y > f y; inr zg z 


Example 3. The ! modality of linear logic can be (almost) recovered via the 
{0,1,w} semiring where 0 E w and 1 Cw. Additionisr+s=rifs=0,r+s=s 
if r = 0, otherwise w. Multiplication is r-0 =0-r=0,r-w =w-r =w (where 
r#0),andr-1=1-r=r. This semiring expresses linear and non-linear usage, 
where 1 indicates linear use, 0 requires the value be discarded, and w acts as 
linear logic’s ! permitting arbitrary use. This is similar to Haskell’s multiplicity 
annotations, although they have no equivalent of a 0 grade, with only One and 
Many grades [8]. Some additional restrictions are required on pattern typing to 
get exactly the behaviour of ! with respect to products [26], not considered here. 


Lastly we note that the calculus enjoys admissibility of substitution [I] which 
is critical in type preservation proofs, and is needed for soundness of synthesis: 


Lemma 1 (Admissibility of substitution). Let AF t’: A, then: If I, a :, 
A,I’' t: B then D+(r-A)+TI’F [t'/a]t: B 


4 Synthesis Calculus 


Having defined the target language, we define our synthesis calculus, which uses 
the additive approach to resource management (see Section |2), with judgments: 


Y;TFAStl|A 


That is, given an input context I’, for goal type A we can synthesise the term 
t with output context A describing how variables were used in t. As in typing, 
top-level definitions and data constructors in scope are provided by a set D 
parameterising the system. X is a context of type variables, which we elide when 
it is simply passed inductively to the premise(s). The context A need not use the 
variables in I” with the same grades. Instead, the relationship between synthesis 
and typing is given by the central soundness result, which we state up-front: that 
synthesised terms are typed by their goal type under their output context: 


Theorem 1 (Soundness). For all pre-ordered semirings R: 
1. For all contexts I and A, types A, terms t: 
VTFASt|A = X;AFt:A 
2. At the top-level, for all type schemes Va -R.A and terms t then: 


00 VatTR.ASt|O = 00h t:VaTR.A 
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Appendix D of the additional material provides the soundness proof [28], 
which in part resembles a translation from sequent calculus to natural deduction, 
but also with the management of grades between synthesis and type checking. 

The first part of soundness on its own does not guarantee that a synthesised 
program t is well resourced, i.e., the grades in A may not be approximated by 
grades in I’. For example, for semiring N= a valid judgement is: 


Tz AF A>r|zraA 


i.e., for goal A, if x has type A in the context then we synthesis x as the re- 
sulting program, regardless of the grades. Such a synthesis judgement may be 
part of a larger derivation in which the grades eventually match due to a further 
subderivation, e.g., using x again and thus total usage for x is eventually 2 as 
prescribed by the input context. However, at the level of an individual judgement 
we do not guarantee that the synthesised term is well-resourced with respect to 
the input context. A reasonable pruning condition to assess whether any syn- 
thesis judgement is potentially well-resourced is JA’.(A + A’) E I, i.e., there 
is some additional usage A’ (that might come from further on in the synthesis 
process) that ‘fills the gap’ in resource use to produce A + A’ which is overap- 
proximated by I’. In this example, A’ = x :; A would satisfy this constraint, 
explaining that there is some further possible single usage which will satisfy the 
incoming grade. However, our previous work on graded linear types showed that 
excessive pruning at every step becomes too costly in a general setting [27]. In- 
stead, we apply such pruning more judiciously, only requiring that variable use is 
well-resourced at the point of synthesising binders. Therefore synthesised closed 
terms are always well-resourced (second part of the soundness theorem). 

We next present the synthesis calculus in stages. Each type former of the core 
calculus (with the exception of type variables) has two corresponding synthesis 
rules: a right rule for introduction (labelled R) and a left rule for elimination 
(labelled L). We frequently apply the algorithmic reading of the judgments, 
where meta variables to the left of > are inputs (i.e., context I’ and goal type A) 
and terms to the right of > are outputs (i.e., the synthesised term t and the usage 
context A). Whilst we largely present the approach here in abstract terms, via 
the synthesis judgments, we highlight some choices made in our implementation 
(e.g., heuristics applied in the algorithmic version of the rules). 


4.1 Core Synthesis Rules 


Top-level We begin with synthesis from a type scheme goal (which is technically 
a separate judgment form), providing the entry-point to synthesis: 


aR; PASÓ 


ToPL 
0:0 H Ya R.A => t| pos 


The universally-quantified type variables œ: ~ are thus added to the type vari- 
able context of the premise (note, type variables are only equal to themselves). 
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Variables For any goal type A, if there is a variable in the context matching this 
type then it can be synthesised for the goal, given by a terminal rule: 
Sib A: Ty 
VA 
X; zp AFASezl]0-DaynA 


R 


Said another way, to synthesise the use of a variable z, we require that x be 
present in the input context I’. The output context here then explains that only 
variable x is used: it consists of the entirety of the input context I” scaled by grade 
0 (using definition[1), extended with x :; A, i.e. a single usage of x as denoted by 
the 1 element of the semiring. Maintaining this zeroed I’ in the output context 
simplifies subsequent rules by avoiding excessive context membership checks. 

The VAR rule permits synthesis of terms which may not be well-resourced, 
e.g., if r = 0, the rule still synthesises a use of x. As discussed at this section’s 
start, this may be locally ill-resourced, but is acceptable at the global level as we 
check that an assumption has been used correctly when it is bound. This reduces 
the number of intermediate theorems that need solving (previously shown to be 
expensive [27], especially since the variable rule is applied very frequently), but 
increases the number of paths that are ill-resourced so must be pruned later. 

The use of a top-level polymorphic function is synthesised if it can be instan- 
tiated to match the goal type: 


(a: VaTR.A')EeD SF A=inst(VaTAR.A’) 


D 
SIF AS>r|0T = 


For example, assuming flip : Vc : Type, d : Type.(c Q d)! —> (d Q c) € D then 
flip is synthesised for a goal type of (Kı @ K2)! —> (K2 ® Kı) for some type 
constants Kı and Ko, via the instantiation 0 + (Kı @ Ke)! > (K: & Kı) = 
inst(Vc : Type, d : Type.(c Q d)! > (d@c)). 

Recursion is provided by populating D with the name and type of the defini- 
tion currently being synthesised for (see Section [4.2] for implementation details). 


Functions Synthesis from function types is handled by the —>prrule: 


[,a:gAFBst|A,t:,A rEq 
rr- A > Bs Art| 


°R 


Reading bottom up, to synthesise a term of type A? > B in context I we first 
extend the context with a fresh variable assumption x :, A and synthesise a 
term of type B that will ultimately become the body of the function. The type 
A1 — B conveys that A must be used according to q in our term for B. The 
fresh variable x is passed to the premise of the rule using the grade of the binder: 
q. The z must then be used to synthesise a term t with q usage. In the premise, 
after synthesising t we obtain an output context A,x :, A. As mentioned, the 
VAR rule ensures that x is present in this context, even if it was not used in the 
synthesis of t (e.g., r = 0). The rule ensures the usage of bound term (r) in t 
does not violate the input grade q via the requirement that r E q i.e. that r is 
approximated by q. If met, A becomes the output context of the rule’s conclusion. 
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Function application is synthesised from functions in the context (a left rule): 
I, £:n ATS Byy:, BE CO > ti | 41, 2:5, A1 > B,Yy :s B 
I, £:n A1 > BE AS t | 2,2: A1 —> B 
I, £:n A1 > BE C= [(z t2)/y]ti | (41 + s2: q: A2), £ ts545:4(s2-q- 53) 41 > B 


L 


Reading bottom up, the input context contains an assumption of function type 
£:n AY — B. An application of x can be synthesised if an argument tz can be 
synthesised for the input type A (second premise). The goal type C is synthesised 
(first premise), under the assumption of a result of type B bound to y. In the 
conclusion, a term is synthesised which substitutes in tı the result placeholder 
variable y for the application z ty. 

We explain the concluding output context in two stages. Firstly, the output 
context A of the first premise is added to a scaled Ag. Since Ag are the resources 
used by the synthesised argument tz, this context is scaled by q as tg is used 
according to q by x as per its type. This context is further scaled by sg which is 
the usage of the entire application z tz inside tı as given by the output grade for 
y in the first premise. Secondly, the output context calculates the use of x used 
in the application itself and potentially also by both premises (which differs from 
LGM’s treatment of synthesis in a linear setting). Apart from application, x may 
be used also to synthesise the argument tz, calculated as grade s3 in the second 
premise. Thus, the application accrues q- s3 use. Furthermore as the result y is 
used according to s2, we must further scale by s2, obtaining s2-q-s3. To this 
we must also add the additional usage of x in the first premise sı as well as the 
use of x in actually performing application, which is 1 scaled by s2 to account 
for the usage of its result, thus obtaining the output grade for x. Following the 
soundness proof for this rule (Appendix D) can be instructive. 

The declarative rule above does not imply an ordering of whether tı or t2 is 
synthesised first. As a heuristic, the implementation first attempts to synthesise 
tı assuming y :,, B according to the first premise to avoid possibly unnecessary 
work if no term can be synthesised anyway for C. 


Example 4. Let T = (A @ A)°:+ — A type an assumption fst in a use of > ;: 


zi, A,fst:, T, y ir AFA ® AS (y, y) | 2:0 A, fst co T, y :2 A 
z:, A,fst:, T H A => (z,2z)| 2:2 A, fst : T 
zis A, fst EEF A®A> (fst (z, 2), fst (z,z)) | Z :0+2. (0..1)-2 A, fst :2+0+(2- (0..1) -0) T 


In this instantiation of the (> ) rule, q = 0..1 and sı = s3 = 0, i.e., the function 
fst is not used in the subterms, and s2 = 2, i.e., the result y of fst is used twice. 
In the conclusion then, z then has output grade 0 + 2-(0..1)-2 = 0..4, i.e., it is 
used up to four times and fst has grade 2..2, i.e., it is used twice. 


Graded Modalities Graded modalities are introduced through the Dprule, syn- 
thesising a promotion [t] for some graded modal type HA: 


TrFAsSt|A 
rFO,AsSf[i[r-a* 
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The premise synthesises term t from A with output context A. In the conclusion, 
A is scaled by the grade r of the goal type since |t] must use ¢ as r requires. 


Grade elimination (unboring) takes place via pattern matching in case: 


T, y :r.q AÁ, £ r OGAFBst|A,y:s, A, £ +s, OA 
ds3.s, E s3-qglr-q 
Pe, QAF B > case z of [y] > t | A, £ ta, OA = 


To eliminate an assumption x of graded modal type 044, we bind a fresh as- 
sumption the premise: y :,., A. This assumption is graded with r- q: the grade 
from the assumption’s type multiplied by the grade of the assumption itself. As 
with previous elimination rules, x is rebound in the rule’s premise. A term t is 
then synthesised resulting in the output context A, y :sı Á, £ is Oq A, where sı 
and s2 describe how y and x were used in t. The second premise ensures that 
the usage of y is well-resourced. The grade s3 represents how much the usage of 
y inside t contributes to the overall usage of x. The constraint sı E s3-q con- 
veys the fact that q uses of y constitutes a single use of x, with the constraint 
s3: q E r- q ensuring that the overall usage does not exceed the binding grade. 
For the output context of the conclusion, we simply remove the bound y from 
A and add z, with the grade s2 + s3 representing the total usage of x in t. 


Data Types The synthesis of introduction forms for data types is by the Crrule: 


(C:VaTR. Bi" +... B!” + KA)VED 
Ut By >... By,” > K A= inst(Va7T ek. Bi" >... BL” > K A’) 


Cr 


where D is the set of data constructors in global scope, e.g., coming from ADT 
definitions, including here products, unit, and coproducts with (,) : At > Bt > 
AQ B, unit: Unit, inl : At > A @ B, and inr : Bt > AGB. 

For a goal type K A where K is a data type with zero or more type argu- 
ments (denoted by the vector A), then a constructor term C t .. tn for K A is 
synthesised. The type scheme of the constructor in D is first instantiated (similar 
to DEF rule), yielding a type B1” —>...— B,%” — K A. A sub-term is then syn- 
thesised for each of the constructor’s arguments t; in the third premise (which is 
repeated for each instantiated argument type B;), yielding output contexts 4;. 
The output context for the rule’s conclusion is obtained by performing a context 
addition across all the output contexts generated from the premises, where each 
context A; is scaled by the corresponding grade q; from the data constructor in 
D capturing the fact that each argument t; is used according to qi. 

Data type elimination synthesises case expressions, pattern matching on each 
data constructor of the goal data type K A, with various constraints on grades. 
In the rule, we use the least-upper bound (lub) operator U on grades, which is 
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defined wrt. E and may not always be defined: 


(C; VOTR. BI =. B!” SKA) ED SHKA: 
Db By! +... By” > KA = inst(VaTR. Bi" +... BL > KB) 
X;T, £ in KA, yf ip. gi Bisa YA: irqi BaF B= ti | Ai, Tin KA, y isi Bi, YA isi Bn 


As. es glr-q gas U.Us® |KA)>131046,U..U Sm 


X;T,£:r KAF B= case z of C; yt...yi > ti | (ArU...U Am), £ iess KA 


CL 


where 1 < i < m indexes data constructors of which there are m (i.e., m = |K AJ) 
and 1 < j < n indexes arguments of the i” data constructor, thus n depends 
on 7. The rule considers data constructors where n > 0 for brevity. 

The relevant data constructors C; are retrieved from the global scope D in the 
first premise. Each polymorphic type scheme is instantiated to a monomorphic 
type. The monomorphised type for each t is a function from constructor argu- 
ments B,...B, to the applied type constructor K A. For each C;, we synthesise 
a term t; from this result type K A, binding the data constructor’s argument 
types as fresh assumptions to be used in the synthesis of t;. The grades of each 
argument are scaled by r. This follows the pattern typing rule for constructors; 
a pattern match under some grade r must bind assumptions that have the ca- 
pability to be used according to r. The assumption being eliminated z :, K A is 
also included in the premise’s context (as in >.) as we may perform additional 
eliminations on the current assumption subsequently. 

The output context for each branch can be broken down into three parts: 


1. A; contains any assumptions from I" were used to construct t;; 

2. £ :,, K A describes how the assumption x was used; 

3. yi is Bi,- Yn isi Bn describes how each assumption y; bound in the pat- 
tern match was used in ¢; according to grade sj. 


For the concluding output context, we take the least-upper bound of the shared 
output contexts A; of the branches. This is extended with the grade for x which 
requires some calculation. For each bound assumption, we generate a fresh grade 
variable 85 * which represents how that variable was used in t; after factoring out 
the malie lietot by q;. This is done via oe constraint in the third premise 


that As’. si E si q; E r-qj. The lub of s’% for all j is then taken to form a 
grade variable s; which repre Sule the total nee of x for branch i arising from 
the use of assumptions bound via the pattern match (i.e., not usage that arises 
from reusing x explicitly inside ¢;). The final grade for æ is then the lub of each 
r; (the usages of x directly in each branch) plus the lub of each s; (the usages 


of the assumptions that were bound from matching on a constructor of x). 


Example 5 (case synthesis). Consider two possible synthesis results: 


tip A ® Unit, y :s A,Ztr-gq, AF AS z| ue: AQ Unit,y:9 Ave A (1) 
tip A ® Unit, y:, A -As>y|a:A® Unt, y: A (2) 
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We will plug these into the rule for generating case as follows, where X has been 
elided and instead of using the above concrete grades we have used the abstract 
form of the rule (the two will be linked by equations after): 


some: (Va,8:Ty.at>+a@B)EeD XFA >A @ Unit = inst(Va, 8: Ty.at >a È £) 


none: (Ya, 8 : Ty.a @ 8) E€ D XF A @ Unit = inst(Va, 8 : Ty.a @ 8) 
(1) X;z:r A @ Unit, y :s A, Z ir.a AF AS 2z| a2 A ® Unit, y :0 A, Z is A 
(2) ©’; :, A @ Unit, y :s A + A> ylz: A Unit, y: A 

Jsi. Es aera s= 8} |A @ Unit] = 1E s 


x: A ® Unit, y :s AF A = (case x of some z — z; none > y) | £ :(o40)45/ A © Unit, y cou A 


To unify and with the Cy rule format sı = 1 and qı = 1 (from the type 
of inl). Applying these equalities to the existential constraint we have 


Jsi. 1E (s-1)E(r-1) = Js.1Cs Er 


With the natural-number intervals semiring this is satisfied by si = 1..1 = s’ 
and thus in the output context x has grade 1..1 and y has grade 0..1. 


Recursive Types Though p types are equi-recursive, we define explicit synthesis 
rules to facilitate the implementation (Section |4.2) where depth information 
needs to be tracked when employing the following yy and pp rules: 


Tb Alpx.A/X]>t| A T,a:, A[uX.A/ X] F BSt| A 
TrpX Ast; A T,t:7pX.AFBSt| A 


HL 


To synthesise a recursive data structure of type wX.A, we must be able to synthe- 
sise A with wX.A substituted for the recursion variable X in A. For example, if 
we wish to synthesise a list typed List a (where Cons : a + List a — List a) 
then when synthesising a Cons constructor in the ur rule, we must re-apply the 
ur rule to synthesise the recursive argument. Elimination of a value j:X.A in the 
context is via the u, which expands the recursive type in the synthesis context. 


4.2 Algorithmic Implementation 


The calculus presented above serves as a starting point for our implemented syn- 
thesis algorithm in Granule. However, the rules are highly non-deterministic with 
regards their order in which they may be applied. For example, after applying a 
(>r )-rule, we may choose to apply any of the elimination rules before applying 
an introduction rule for the goal type. This leads to us exploring a large number 
of redundant search branches which can be avoided through the application of a 
technique known as focusing [4]. Focusing is a tool from linear logic proof theory 
based on the idea that some rules are invertible, i.e., whenever the conclusion of 
the rule is derivable, then so are the premises. In other words, the order in which 
we apply invertible rules doesn’t matter. By fixing a particular ordering on the 
application of invertible rules, we eliminate much of the non-determinism that 
arises from trying branches which differ only in the order in which invertible rules 
are applied. The full focusing versions of the rules from our calculus, and their 
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proof of soundness, can be found in Appendix E [28]. This forms the basis of our 
implementation with the high-level algorithm given in appendix Figure 5 as a 
(non-deterministic) finite state machine, which shows the ordering given to the 
rules under the focussing approach, starting with trying to synthesise function 
types before switching to eliminations rules, and so on. In standard terminology, 
our algorithm is ‘top-down’ (see, e.g., [53]), or goal-directed, in which 
we start with a type goal and an input context and progress by gradually build- 
ing the syntax tree from the empty term following the focussing-ordered rules 
of our calculus. This contrasts with ‘bottom-up’ approaches [2] [41] 44] which 
maintain complete programs which can be executed (tested) and combined. 

Where transitions are non-deterministic in the algorithm, multiple branches 
are then explored in synthesis. Our implementation relies on the use of back- 
tracking proof search, leveraging a monadic interface that provides both choice 
(e.g., between multiple possible synthesis options based on the goal type) and 
failure (e.g., when a constraint fails to hold) [33]. For every rule that generates a 
constraint on grades, due to binding (OL, >r, Cr), we compile the constraints 
to the SMT-lib format [7] which are then discharged by the Z3 SMT solver [43]. 
If the constraint is invalid then we trigger the failure of this synthesis pathway, 
triggering backtracking via the “logic” monad [33]. A synthesised program can 
also be rejected by user (or due to a failing an example, see below) and synthesis 
then produces an alternate result (what we call a retry) via backtracking. 

Recursive data structures present a challenge in the implementation. For 
example, for the list data type, how do we prevent synthesis from applying 
the py rule, followed by the Cy rule on the Cons constructor ad infinitum? We 
resolve this issue using an iterative deepening approach similar to that used by 
MYTH . Programs are synthesised with elimination (and introduction) forms 
of constructors restricted up to a given depth. If no program is synthesised within 
these bounds, then the depth limits are incremented. The current depth and the 
depth limit are part of the state of the synthesiser. Combined with focusing 
this provides the basis an efficient implementation of the synthesis calculus. 
Furthermore, to ensure that a synthesised programs terminates, we only permit 
synthesis of recursive function calls which are structurally recursive, i.e., those 
which apply the recursive definition to a subterm of the function’s inputs M8]. 

Lastly, after synthesis, a post-synthesis refactoring step runs to simplify 
terms and produce a more idiomatic style. For example for the k combinator 
type signature k : V {a b : Type} . a %1 —> b %0 — a we synthesis the term: 
k = Ax ~ Ay > x. Our refactoring procedure collects the outermost abstrac- 
tions of a synthesised term and transforms them into equation-level patterns with 
the innermost abstraction body forming the equation body: k x y = x. Repeated 
case expressions are also refactored into nested pattern matches, which are part 
of Granule. For example, nested matching on pairs is simplified to a single case 
with nested pattern matching: case x of (y1, y2) —> case y1 of (z1, z2) > e 
is refactored to case x of ((z1, z2), y2) > e. 


Input-output Examples Further to the implementation described above, we also 
allow user-defined input-output examples which are checked as part of synthesis. 
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Our approach is deliberately naive: we evaluate a fully synthesised candidate 
program against the inputs and check that the results match the corresponding 
outputs. Unlike sophisticated example-driven synthesis tools, the examples only 
influence the search procedure by backtracking on a complete program that 
doesn’t satisfy the examples. This lets us consider the effectiveness of search 
based primarily around the use of grades (see Section 5}. Integrating examples 
more tightly with the type-and-grade directed approach is further work. 

Our implementation augments Granule with first-class syntax for specifying 
input-output examples, both as a feature for aiding synthesis but also for aiding 
documentation that is type checked (and therefore more likely to stay consistent 
with a code base as it evolves). Synthesis specifications are written in Granule 
directly above a program hole (written using ?) using the spec keyword. The 
input-output examples are then listed per-line. For example, one of benchmark 
programs (Section [5) for the length of a list is specified as: 


1 length : Va. List a 40..co > N 

2 spec length (Cons 1 (Cons 1 Nil)) = S (S Z); 
3 length 

1 length = ? 


Any synthesised definition must then behave according to this example. 

In a spec block, a user can also specify the names of functions in scope which 
are to be taken as the available definitions (set D in the formal specification). For 
example, line 4 above specifies that length can be used here (i.e., recursively). 


5 Evaluation 


In evaluating our approach and tool, we made the following hypotheses: 


H1. (Expressivity; less consultation) The use of grades in synthesis results 
in a synthesised program that is more likely to have the behaviour desired 
by the user; the user needs to request fewer alternate synthesised results 
(retries) and thus is consulted less in order to arrive at the desired program. 

H2. (Expressivity; fewer examples) Grade-and-type directed synthesis re- 
quires fewer input-output examples to arrive at the desired program compare 
with a purely type-driven approach. 

H3. (Performance; more pruning) The ability to prune resource-violating 
candidate programs from the search tree leads to a synthesised program 
being found more quickly when synthesised from a graded type compared 
with the same type but without grades (purely type-driven approach). 


5.1 Methodology 
To evaluate our approach, we collected a suite of benchmarks comprising graded 


type signatures for common transformations on structures such as lists, streams, 
booleans, option (‘maybe’) types, unary natural numbers, and binary trees. A 
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representative sample of benchmarks from the MYTH synthesis tool [47] are in- 
cluded alongside a variety of other programs one might write in a graded setting. 
Benchmarks are categorised based on the main data type, with an additional mis- 
cellaneous category. Appendix C lists type schemes for all benchmarks [28]. To 
compare, in various ways, our grade-and-type-directed synthesis to traditional 
type-directed synthesis, each benchmark signature is also “de-graded” by replac- 
ing all grades in the type with Any which is the only element of the singleton 
Cartesian semiring in Granule. When synthesising in this semiring, we can forgo 
discharging grade constraints in the SMT solver entirely. Thus, synthesis for 
Cartesian grades degenerates to type-directed synthesis following our rules. 

To assess hypothesis 1 (grade-and-type directed leads to less consultation 
/ more likely to synthesise the intended program) we perform grade-and-type 
directed synthesis on each benchmark problem and type-directed synthesis on 
the corresponding de-graded version. For the de-graded versions, we record the 
number of retries N needed to arrive at a well-resourced answer by type checking 
the output programs against the original graded type signature, retrying if the 
program is not well-typed (essentially, not well-resourced). This checks whether 
a program is ‘as intended’ without requiring input from a user. In each case, we 
also compared whether the resulting programs from synthesis via graded-and- 
type directed vs. type-directed with retries (on non-we were equivalent. 

To assess hypothesis 2 (graded-and-type directed requires fewer examples 
than type-directed), we run the de-graded (Cartesian) synthesis with the smallest 
set of examples which leads to the model program being synthesised (without 
any retries). To compare across approaches to the state-of-the-art type-directed 
approach, we also run a separate set of experiments comparing the minimal 
number of examples required to synthesise in Granule (with grades) vs. MyTH. 

To assess hypothesis 3 (grade-and-type-directed faster than type-directed) we 
compare performance in the graded setting to the de-graded Cartesian setting. 
Comparing our tool for speed against another type-directed (but not graded- 
directed) synthesis tool such as MYTH is likely to be largely uninformative due 
to differences in implementation (engineering artefacts) obscuring meaningful 
comparison. Thus, we instead compare timings for the graded and de-graded 
approach within Granule. This normalises implementation artefacts as the two 
approaches vary only in the use of SMT solving to prune ill-resourced programs 
(in the graded approach). We also record the number of search paths taken (over 
all retries) to assess the level of pruning in the graded vs de-graded case. 

We ran our synthesis tool on each benchmark for both the graded type and 
the de-graded Cartesian case, computing the mean after 10 trials for timing data. 
Benchmarking was carried out using version 4.12.1 of Z3 [43] on an M1 MacBook 
Air with 16 GB of RAM. A timeout limit of 10 seconds was set for synthesis. 


5.2 Results and Analysis 


Table[1]records the results comparing grade-and-type synthesis vs. the Cartesian 
(de-graded) type-directed synthesis. The left column gives the benchmark name, 
number of top-level definitions in scope that can be used as components (size 
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of the synthesis context) labelled CTXT, and the minimum number of examples 
needed (#/Exs) to synthesise the Graded and Cartesian programs. In the Carte- 
sian setting, where grade information is not available, if we forgo type-checking 
a candidate program against the original graded type then additional input- 
output examples are required to provide a strong enough specification such that 
the correct program is synthesised (see H3). The number of additional examples 
is given in parentheses for those benchmarks which required these additional 
examples to synthesise a program in the Cartesian setting. 


Each subsequent results column records: whether a program was synthesised 
successfully v or not x (due to timeout or no solution found), the mean synthesis 
time (uT) or if timeout occurred, and the number branching paths (Paths) 
explored in the synthesis search space. 


The first results column (Graded) contains the results for graded synthesis. 
The second results column (Cartesian + Graded type-check) contains the results 
for synthesising in the Cartesian (de-graded) setting, using the same examples set 
as the Graded column, and recording the number of retries (consultations of the 
type-checker at the end) N needed to reach a well-resourced program. In all cases, 
the resulting program in the Cartesian case was equivalent to that generated by 
the graded synthesis, none of which needed any retries (i.e., implicitly N = 0 for 
graded synthesis, i.e., no retries are needed). H1 is confirmed by the fact that N 
is greater than 0 in 29 out of 46 benchmarks (60%), i.e., the Cartesian case does 
not synthesis the correct program first time and needs multiple retries to reach 
a well-resource program, with a mean of 19.60 retries and a median of 4 retries. 


For each row, we highlight the column which synthesised a result the fastest in 
blue. In 17 of the 46 benchmarks (37%) the graded approach out-performed non- 
graded synthesis. This contradicts hypothesis 3 somewhat: whilst type-directed 
synthesis often requires multiple retries (versus no retries for graded) it still out- 
performs graded synthesis. This is due to the cost of SMT solving which must 
compile a first-order theorem on grades into the SMT-lib file format, start Z3, 
and then run the solver. Considerable amounts of system overhead are incurred 
in this procedure. A more efficient implementation calling Z3 directly (via a dy- 
namic library call) may give more favourable results here. However, H3 is still 
somewhat supported: the cases in which the graded does outperform the Carte- 
sian are those which involve considerable complexity in their use of grades, such 
as stutter, inc, and bind for lists, and sum for both lists and trees. In each case, 
the Cartesian column is significantly slower, even timing out for stutter; this 
shows the power of the graded approach. Furthermore, we highlight the column 
with the smallest number of synthesis paths explored in yellow, observing that 
the number of paths in the graded case is always the same or less than that those 
in the Cartesian+graded type check case (apart from Tree stutter). The paths 
explored are the sometimes the same between Graded and Cartesian synthesis 
because we use backtracking search even in the Cartesian case where, if an out- 
put program fails to type check against the graded type, the search backtracks 
rather than starting from the beginning. This leads to an equal number of paths 
in the graded case when solving occurred only at a top-level abstraction. How- 
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ever, paths explored are fewer in the graded case when solving occurs at other 
binders, e.g., in case and unboxing. 

Confirming H2, the de-graded setting without graded type checking requires 
more examples to synthesise the same program as the graded in 20 out of 46 
(43%) cases. In these cases, an average of 1.25 additional examples are required. 
To further interrogate H2, we compare the number of examples required by 


Graded Cartesian + Graded type-check 
Problem Ctxt #/Exs. i (ms) Paths HT (ms) N Paths 
append 0 O(41) |v 5.35 (5.13) 130 |v (105.24 (0.36 8 130 
concat 1 0(48) |v a 76 (1.60) 1354 |v (615.29 (1.43) 12 1354 
empty 0 0 v 5.31 (0.02 17 |v 1.20 (0.01 0 17 
snoc 1 1 v 2137.28 (2.14) 2204 |v 1094.03 (4.75 8 2278 
drop 1 1 v 1185.03 (2.53) 1634 |v (445.95 (1.71 8 1907 
flatten 2 1 v 1369.90 (2.60) 482 |v 527.64 (1.04 8 482 
bind 2 0(42) |v 62.20 (0.21) 129 |v 622.84 (0.95) 18 427 
return 0 OG v 19.71 (0.18) 49 |v 22.00 (0.08) 4 49 
Po inc 1 1 ¥ 708.23 (0.69) 879 |v 2835.53 (7.69) 24 1664 
fc head 0 1 v 68.23 (0.53) 34 |v (2078000), 4 34 
tail 0 1 v 84.23 (0.20 33 |v 38.59 (0.06 8 33 
last 1 1(+ ¥ 1298.52 (1. x 593 |v 410.60 (6.25 4 684 
length 1 1 ¥ 464.12 (0.5 251 |v (127.91 (0.58 4 251 
map 1 0G v 550.10 (0 a 3075 |v "249.42 (0.73 4 3075 
replicate} 0 0(+ v 372.23 (0.70) 1295 |v 435.78 (1.06) 4 1295 
replicate10 0 0(+ v 2241.87 (4.74) 10773|v 2898.93 (1.47) 4 10773 
replicateN 1 1 v 593.86 (1.68) 772 |v "108.98 (0.65 4 772 
stutter 1 0 ¥ E 1792 | x Timeout - - 
sum 2 14 v 84.09 (0.25) 208 |v 3236.74 (0.87) 192 3623 
build 0 O04 v 61.27 (0.45) 7 |v 84.44 (0.49) 4 75 
5 map 1 OG v 351.93 (0.91) 1363 |v 153.01 (0.37 0 1363 
2 takel 0 OG v 34.02 (0.23 22 |v 19.32 (0.05 0 22 
a take2 0 OG v 110.18 (0.31) 204 |v 89.10 (0.18 0 208 
take3 0 OG v 915.39 (1.42) 1139: |¥ (631.47 (1.14 0 1172 
neg 0 2 v 209.09 (0.31 42 |v 1168:37 (0.56 0 42 
5 and 0 4 v 3129.30 (2.82) 786 |v 7069.14 (15.91) 0 2153 
Q impl 0 4 ¥ 1735.09 (4.31) 484 |v 3000.48 (4.65) 0 1214 
m or 0 4 v 1213.86 (1.02) 374 |v 2867.74 (3.52) 0 1203 
xor 0 4 v 2865.79 (4.33) 736 |v 7251.38 (32.06) 0 2229 
bind 0 O(41) |v 159.87 (0.52) 237 |v 55.33 (0.33 0 237 
fromMaybe 0 0 (+2) |v 54.27 (0.35 18 |v 11.58 (0.10) 0 18 
3 return 0 0 Vv 9.89 (0.02) 17 |v 11.49 (0.04) 4 17 
E isJust 0 2 v 69.33 (0.17) 48 |v  22.07(0.09) 0 48 
= isNothing 0 2 vV 102.42 (0.32) 49 |v  31.89(0.22) 0 49 
map 0 O(41) |v 54.90 (0.22) 120 |v 22.01 (0.10 0 120 
mplus 0 1 v 319.64 (0.47) 318 |v 70.98 (0.05 0 318 
isEven 1 2 v 1027.79 (1.28) 466 |v 313.77 (0.92 8 468 
R pred 0 1 v 46.20 (0.18) 33 |v 48.04 (0.13) 8 33 
Z succ 0 1 v 115.16 (0.91) 76 |v 156.02 (0.50) 8 76 
sum 1 1(+2)|v 1582.23 (3.60) 751 |v M3s (IMI) 12 751 
v map 1 0(+1)|v 1168.60 (1.21) 4259 |v 525.47 (1.31 4 4259 
È stutter 1 O(41) |W 693.44 (1.21) 832 |v (219.91 (1.02 4 674 
sum 2 3 v 1477.83 (1.28) 3230 |v 3532.24 (7.19) 192 3623 
g compose 0 0 v 40.27 (0.08 38 |v 14.53 (0.09 2 38 
5 copy 0 0 v 5.24 (0.04) 21 |v 6.16 (0.10) 2 21 
push 0 0 v 26.66 (0.18 45 |v 14.23 (0.13 2 45 


Table 1: Results. uT in ms to 2 d.p. with standard sample error in brackets 
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Granule | MYTH | SMYTH 

Granule | MYTH | SMYTH Problem #/Exs #/Exs #/Exs 
Problem #/Exs #/Exs #/Exs p stutter 0 3 2 
append 0 6 4 List sum a 3 2 
concat 1 6 3 neg 2 2 2 
snoc 1 8 3 and 4 4 3 
drop 1 13 5 Bool impl 4 4 3 
List inc 1 4 2 or 4 4 3 
head 1 3 2 xor 4 4 4 
tail 1 3 2 Nat isEven 2 4 3 
last 1 6 4 add £ 3 2 
length 1 3 3 pred 1 3 2 
map 0 8 4 Tree map 0 7 4 

Table 2: Number of examples needed for synthesis, Granule vs. MYTH vs. SMYTH 


Granule (using grades) against the MYTH synthesis tool (based on pruning by 
examples) [47], and the more advanced assertion-based SMYTH [36]. We consider 
the subset of our benchmarks drawn from MYTH. Table 2]shows the minimum 
number of input-output examples needed to synthesise the correct program in 
Granule, MYTH, and SMYTH. For all cases, Granule required the same or fewer 
examples than MYTH to synthesis the desired program, requiring fewer examples 
in 16 out of 21 cases. The disparity in the number of examples required is quite 
significant in some cases: with 13 examples required by MYTH to synthesise 
concat but only 1 example for Granule. Overall, SMYTH needed the same or 
fewer examples than MyTH. Granule needed the same or fewer examples than 
SMYTH in 18 out of 21 cases, but in the other 3 cases (and, impl, or) SMYTH 
required 1 fewer example. Overall, the lower number of examples needed in our 
approach shows the pruning power of grades in synthesis, confirming H2. 

We briefly examine one of the more complex benchmarks which uses almost 
all of our synthesis rules in one program. The stutter case (List class) is specified: 


ı stutter : V a . List (a [2]) 41..co > List a 
2 spec stutter 


Its input is a list of elements graded by 2, i.e., must be used twice. The argument 
list itself must be used at least once but possibly infinitely, suggesting that some 
recursion will be necessary. This is further emphasised by the spec, which states 
we can use stutter itself inside the function. Without grades, synthesis times 
out. Graded synthesise produces the following in 1325ms (~1.3 seconds): 


1 stutter Nil = Nil; 
2 stutter (Cons [u] z) = (Cons u) ((Cons u) (stutter z)) 


6 Synthesis of Linear Haskell Programs 


As part of a growing trend of resourceful types being added to more mainstream 
languages, Haskell has introduced support for linear types as of GHC 9, using an 
underlying graded type system which can be enabled as a language extension [8] 
(called LinearTypes). This system is closely related to the calculus here but 
limited to one semiring. This however presents an opportunity to leverage our 
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tool to synthesise (linear) Haskell programs. Like Granule, grades in Haskell can 
be expressed as “multiplicities” on function types: a %r -> b. The multiplicity r 
can be either 1 or w (or polymorphic), with 1 denoting linear usage (also written 
as ’One) and w (’Many) for unrestricted use. Similarly, Granule can model linear 
types using the 0-1-w semiring (Example [26]. Synthesising Linear Haskell 
programs then simply becomes a task of parsing a Haskell type into a Granule 
equivalent, synthesising a term from it, and compiling the synthesised term back 
to Haskell (which has similar syntax to Granule anyway). 

Our implementation includes a prototype synthesis tool using this approach. 
A synthesis problem takes the form of a Linear Haskell program with a hole, e.g. 


1 {-# LANGUAGE LinearTypes #-} 
2 swap :: (a, b) %One -> (b, a) 
swap = _ 


We invoke the synthesis tool with gr --linear-haskell swap.hs which produces: 
1 swap (z, y) = (y, z) 


Users may make use of lists, tuples, Maybe and Either data types from Haskell’s 
prelude, as well as user-defined ADTs. Further integration of the tool, as well as 
support for additional Haskell features such as GADTs is left as future work. 


7 Discussion 


Comparison with prior work Previously, LGM targeted the linear A-calculus 
with graded modalities [27]. In this paper, we instead considered a fully-graded 
(‘graded base’) calculus with no linearity: all assumptions are graded and subse- 
quently there is a graded function arrow (not present in the ‘linear base’ style). 
This graded calculus matches practical implementations of graded types seen in 
Idris 2 and Haskell. Furthermore, a key contribution beyond LGM is the handling 
of recursion, general user-defined (recursive) ADTs, and polymorphism. Due to 
the pervasive grading, the majority of the synthesis rules are considerably differ- 
ent to LGM. For example, LGM’s synthesis of functions is linear, and thus need 
not handle the complexity of grading (cf. >, on p. [13): 


T,%2: BF C >+ t;A1,22:B TH AS+ to; Ag L +7] 
T, xı : A — BEC >*t [(a,te)/xe]t1; (41 + 42), xı : A — B 


As above, in the linear setting of LGM, many of the constraints and grades 
handled in this paper are essentially specialised away as equal to 1, with only 
linear products and coproducts considered. Since grading is potentially more 
permissive than linearity, elimination rules in our synthesis calculus must also 
make available an eliminated variable for re-use in every premise, which was not 
needed in LGM. Furthermore, the power of this paper’s case rule means there are 
simple, non-recursive terms we can synthesise which LGM cannot. In particular, 
synthesis of programs which perform “deep” pattern matching over a graded 
data structure are not possible in LGM. For example, LGM’s approach cannot 
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synthesise a term for Op..1(a,(a,8)) — 8 as it cannot propagate information 
from one case to another to inherit the grade 0..1 on the pair’s components. 
However, here we can synthesise (in just a few steps, plus refactoring): 


1 deep: Vab : Type. (a, (a, b)) %0..1 > b 
2 deep [(_, (_, WI] =y -- y inherits grade 0..1 


Thus, not only does our approach consider a different mode of grading, as well 
as extending to arbitrary recursive ADTs and recursive functions, it is also more 
expressive in the interaction between data types and grades. 

LGM introduced additive and subtractive resource management schemes (sum- 
marised and re-contextualised in Section [2}. Comparative evaluation of LGM 
showed that constraints from the subtractive approach are typically larger, more 
complex, and discharged more frequently than in additive synthesis. We con- 
cluded that subtractive only ever outperformed additive on purely linear types. 
Coupled with the fact that the subtractive approach has limitations in the pres- 
ence of polymorphic grades, we thus adopted the additive scheme, especially 
in light of us considering more complex programs. Our evaluation of LGM did 
not given any evidence justifying use of grades for synthesis compared to just 
using types. Here, we showed that grading significantly reduces the number of 
paths explored and examples needed when compared with purely type-directed 
approaches, including in comparison with MyTH : 


Other Related Work Beyond MyTH, other recent work has extended type-and- 
example-directed synthesis approaches. SMYTH constrains the search space fur- 
ther by augmenting types with assertions (called ‘sketches’) to guide synthe- 
sis . This techniques involves employing more evaluation during synthesis to 
generated intermediate input-output examples to prune the search space. They 
evaluate on a subset of MYTH benchmarks (somewhat similar to our own method 
here). Whilst we compared our approach (with graded + types + examples con- 
sidered at the end) to MyTH (with types + examples integrated) to show that 
grading reduces the number of examples, comparing with the assertion-based 
approach in SMYTH is further work. Another recent work, BURST, also lever- 
ages the MyTH benchmark, but using a ‘bottom-up’ technique (in contrast 
to our top-down approach, Section [4.2}. The bottom-up approach synthesises a 
sequence of complete programs which can be refined and tested under an ‘an- 
gelic semantics’. Whether a bottom-up grade-directed approach could lead to 
performance improvements is an open question. 

Whilst we considered resourceful programming via graded types, other no- 
tions of resourceful typing exist, including ‘ownership’ (e.g., Rust [BI]) and re- 
lated ‘uniqueness’ (e.g., Clean [51]). Recently, Fiala et al. synthesised Rust pro- 
grams from a custom program logic Synthetic Ownership Logic that integrates a 
typed approach to Rust ownership with functional specifications, allowing syn- 
thesis to follow a deductive approach [16]. There is some philosophical overlap in 
the resourceful ideas in their approach and ours. Drawing a closer correspondence 
between Rust-style ownership and grading, to perhaps leverage our resourceful 
approach to synthesis, is future work. Notably, Marshall and Orchard show that 
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uniqueness types can be implemented as an extension of a linear type theory 
with a non-linearity modality and uniqueness modality [88]. Further work could 
adapt our approach to this setting to provide synthesis for uniqueness types as 
a precursor to the full ownership and borrowing system of Rust. 

The dependently-typed language Idris provides automated proof search as 
part of its implementation [10]. In Idris 2, the core type theory is based on 
a graded type theory [5] [39] with 0-1-w semiring (Example |1) and with proof 
synthesis extended to utilise these grades [II]. This approach has some relation 
to ours, but in a limited single-semiring setting and restricted in how grades can 
be leveraged. Our approach is readily applicable to Idris, which is future work. 


Conclusion Our work is grounded in the philosophy of type-driven development 
where the user thinks about the expected behaviour or constraints of a program 
first, writing the type as a specification. Synthesis is not necessarily about having 
complicated programs generated but is often about generating straightforward 
programs to save effort. This is the gain provided by type-directed synthesis in 
existing languages such as Agda [9] and Idris [10]. Our technique augments this, 
such that boilerplate code and simple algorithms can be automatically generated, 
freeing the developer to focus on other parts of a program. 

A next step is to incorporate GADTs (Generalised ADTs), i.e., indexed types, 
into synthesis. Granule provides support for user-defined GADTs, and the in- 
teraction between grades and type indices is a key contributor to its expressive 
power [45]. For example, consider a function that replicates a value a number of 
times to create a list, typed rep : V {t : Type} . Int > t % 0..00 — List t. 
Given a standard indexed type of natural numbers N (n : Nat) and sized-indexed 
vectors Vec (n : Nat) (t : Type), a more precise specification can be given as 
YV {n : Nat, t : Type} . Nn —> t %» n —> Vec n t for which the search space 
could be more effectively pruned by including type indices in synthesis. 

We intend to pursue further improvements to our tool to reduce the overhead 
of SMT solving, integrate examples into the search algorithm itself in the style of 
MYTH and Leon , as well as considering possible semiring-dependent op- 
timisations that may be applicable. Another further work is prove completeness 
of our synthesis calculus which we believe this holds. 

With the rise in Large Language Models showing their power at program 
synthesis [6] B0] the deductive approach still has value, providing correct-by- 
construction synthesis from specification rather than predicting programs which 
may violate fine-grained type constraints, e.g., from grades. Future work, and a 
general challenge for the deductive synthesis community, is to combine the two 
approaches with the logical engine of the deductive approach guiding prediction. 


Data-Availability An artefact supporting the results of this work is available at 


http: //zenodo. org/records/10511509 
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Abstract There has been much progress in designing bidirectional type 
systems and associated type synthesis algorithms, but mainly on a case- 
by-case basis. To remedy the situation, this paper develops a general 
and formal theory of bidirectional typing for simply typed languages: 
for every signature that specifies a mode-correct bidirectionally typed 
language, there exists a proof-relevant type synthesiser which, given an 
input abstract syntax tree, constructs a typing derivation if any, gives its 
refutation if not, or reports that the input does not have enough type 
annotations. Sufficient conditions for deriving a type synthesiser such as 
soundness, completeness, and mode-correctness are studied universally 
for all signatures. We propose a preprocessing step called mode decoration, 
which helps the user to deal with missing type annotations. The entire 
theory is formally implemented in AGDA, so we provide a verified generator 
of proof-relevant type synthesisers as a by-product of our formalism. 


1 Introduction 


Type inference is an important mechanism for the transition to well-typed 
programs from untyped abstract syntax trees, which we call raw terms. Here 
‘type inference’ refers specifically to algorithms that ascertain the type of any raw 
term without type annotations. However, full parametric polymorphism entails 
undecidability in type inference, as do dependent types [9, 31]. In light of these 
limitations, bidirectional type synthesis emerged as a viable alternative, deciding 
the types of raw terms that meet some syntactic criteria and typically contain 
annotations. In their survey paper [10], Dunfield and Krishnaswami summarised 
the principles of bidirectional type synthesis and its wide coverage of languages 
with simple, polymorphic, dependent, and gradual types, among others. 

While type inference is not decidable in general, for certain kinds of terms it 
is still possible to synthesise their types. For example, the type of a variable can 
be looked up in the context. Bidirectional type synthesis combines type synthesis 
on this subset of terms with type checking (based on a given type) on the rest. 
Formally, every judgement in a bidirectional type system is extended with a 
mode: (i) I F t > A for synthesis and (ii) I H t < A for checking. The former 
indicates that the type A is an output, using both the context I’ and the term t 
as input, while for the latter, all three of I’, t, and A are input. The algorithm 
of a bidirectional type synthesiser can often be ‘read off’ from a well-designed 
bidirectional type system: as the synthesiser traverses a raw term, it switches 
between synthesis and checking, following the modes assigned to the judgements 
in the typing rules. 
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Despite sharing the same basic idea, bidirectional typing has been mostly 
developed on a case-by-case basis. Dunfield and Krishnaswami present informal 
design principles learned from individual bidirectional type systems, but in 
addition to crafting special techniques for individual systems, we should start 
to consolidate concepts common to a class of bidirectional type systems into 
a general and formal theory that gives mathematically precise definitions and 
proves theorems for the class of systems once and for all. In this paper, we develop 
such a theory of bidirectional typing with the proof assistant AGDA. 


Proof-relevant type synthesis Our work adopts a proof-relevant approach 
to (bidirectional) type synthesis, as illustrated by Wadler et al. [30] for PCF. 
The proof-relevant formulation deviates from the usual one: traditionally, a type 
synthesis algorithm is presented as algorithmic rules, for example in the form 
I t= Av t, which denotes that t in the surface language can be transformed 
to a well-typed term t’ of type A in the core language [24]. Such an algorithm 
is accompanied by soundness and completeness assertions that the algorithm 
correctly synthesises the type of a raw term, and every typable term can be 
synthesised. By contrast, the proof-relevant approach exploits the simultaneously 
computational and logical nature of Martin-Lof type theory, and formulates 
algorithmic soundness, completeness, and decidability in one go. 

Recall that the law of excluded middle P + —P does not hold as an axiom for 
every P constructively, and we say that P is logically decidable if the law holds 
for P. Since Martin-Löf type theory is logical and computational, a decidability 
proof is a proof-relevant decision procedure that computes a yes-or-no answer with 
a proof of P or its refutation, so logical decidability is algorithmic decidability. 
More specifically, consider the statement of the type inference problem 


‘for a context I’ and a raw term t, either a typing derivation of TFt: A 
exists for some type A or any derivation of IF t: A for some type A 
leads to a contradiction’, 


which can be rephrased more succinctly as 
‘It is decidable for any I’ and t whether I F t : A is derivable for some A’. 


A proof of this statement would also be a program that produces either a typing 
derivation for the given raw term t or a negation proof that such a derivation 
is impossible. The first case is algorithmic soundness, while the second case 
is algorithmic completeness in contrapositive form (which implies the original 
form due to the decidability). Therefore, proving the statement is the same as 
constructing a verified proof-relevant type inference algorithm, which returns not 
only an answer but also a proof justifying that answer. This is an economic way 
to bridge the gap between theory and practice, where proofs double as verified 
programs, in contrast to separately exhibiting a theory and an implementation 
that are loosely related. 
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Annotations in the type synthesis problem As we mentioned in the 
beginning, with bidirectional typing we avoid the generally undecidable problem 
of type inference, and instead solve the simpler problem about the typability of 
‘sufficiently annotated’ raw terms, which we call the type synthesis problem to 
distinguish it from type inference. Annotations therefore play an important role 
even in the definition of the problem solved by bidirectional typing, but have not 
received enough attention. In our theory, we define mode derivations to explicitly 
take annotations into account, and formulate the type synthesis problem with 
sufficiently annotated raw terms. Accordingly, a preprocessing step called mode 
decoration is proposed to help the user to work with annotations. 

The type synthesis problem is not just about deciding whether a raw term 
is typable—there is a third possibility that the term does not have sufficient 
annotations. Thus, before attempting to decide typability (using a bidirectional 
type synthesiser), we should first decide if the raw term has sufficient annotations, 
which corresponds to whether the term has a mode derivation. Our theory gives 
a proof-relevant mode decorator, which either (i) construct a mode derivation 
for a raw term, or (ii) provides information that refutes the existence of any 
mode derivation and pinpoints missing annotations. Then a bidirectional type 
synthesiser is only required to decide the typability of mode-decorated raw terms. 
Soundness and completeness of bidirectional typing is reformulated as a one-to- 
one correspondence between bidirectional typing derivations and pairs of a typing 
derivation and a mode derivation for the same raw term. Our completeness is 
simpler and more useful than annotatability, which is a typical formulation of 
completeness in the literature of bidirectional typing [10, Section 3.2]. 


Mode-correctness and general definitions of languages The most essential 
characteristics of bidirectional typing is mode-correctness, since an algorithm 
can often be ‘read off’ from the definition of a bidirectionally typed language if 
mode-correct. As illustrated by Dunfield and Krishnaswami [10], it seems that 
the implications of mode-correctness have only been addressed informally so far, 
and mode-correctness is not yet formally defined as a property of languages. 

In order to make the notion of mode-correctness precise, we first give a 
general definition of bidirectional simple type systems, called bidirectional binding 
signature, extending the typed version of Aczel’s binding signature [1] with modes. 
A general definition of typed languages allows us to define mode-correctness and 
to investigate its consequences rigorously: the uniqueness of synthesised types and 
the decidability of bidirectional type synthesis for mode-correct signatures. The 
proof of the latter theorem amounts to a generator of proof-relevant bidirectional 
type synthesisers (analogous to a parser generator working for unambiguous or 
disambiguated grammars). 

To make our exposition accessible, the theory in this paper focuses on simply 
typed languages with a syntax-directed bidirectional type system, so that the 
decidability of bidirectional type synthesis can be established without any other 
technical assumptions. It should be possible to extend the theory to deal with 
more expressive types and assumptions other than mode-correctness. For instance, 
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we briefly discuss how the theory can be extended to handle polymorphically 
typed languages such as System F, System F<., and those systems using implicit 
type applications with additional assumptions in Section 7. 


Contributions and plan of this paper In short, we develop a general and 
formal theory of bidirectional type synthesis for simply typed languages, including 


1. general definitions for bidirectional type systems and mode-correctness; 

2. mode derivations for explicitly dealing with annotations in the theory, and 
mode decoration for helping the user to work with annotations in practice; 

3. rigorously proven consequences of mode-correctness, including the uniqueness 
of synthesised types and the decidability of bidirectional type synthesis, which 
amounts to 

4. a fully verified generator of proof-relevant type-synthesisers. 


Our theory is fully formally developed with AGDA, but is translated to the 
mathematical vernacular for presentation in this paper. The formal theory doubles 
as a verified implementation, which is available publicly on Zenodo [8]. 

This paper is structured as follows. We present a concrete overview of our 
theory using simply typed A-calculus in Section 2, prior to developing a general 
framework for specifying bidirectional type systems in Section 3. Following 
this, we discuss mode decoration and related properties in Section 4. The main 
technical contribution lies in Section 5, where we introduce mode-correctness and 
bidirectional type synthesis. Some examples other than simply typed A-calculus 
are given in Section 6, and further developments are discussed in Section 7. 


2 Bidirectional type synthesis for simply typed A-calculus 


We start with an overview of our theory by instantiating it to simply typed 
A-calculus. Roughly speaking, the problem of type synthesis requires us to take 
a raw term as input, and produce a typing derivation for the term if possible. 
To give more precise definitions: the raw terms for simply typed A-calculus are 
defined! in Figure 1; besides the standard constructs, there is an ANNO rule that 
allows the user to insert type annotations to facilitate type synthesis. 


V F t| Given a list V of variables, t is a raw term with free variables in V 


LEV VFt Vaert VFt VFu 
VAR — ANNO =~~ ABS —_—__—— APP 
Via VE (ts A) VE Ag.t ViEtu 


Figure 1. Raw terms for simply typed A-calculus 


1 The usual conditions about named representations of variables are omitted. 
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I'tt:A|A raw term t has type A under context I" 


xc: A)ET FPA T,x: AF Ft: B 
( 
——_—— VaR ——______— ANNO ——____— ABS 
Pra:A Th (te A):A [TF Ag.t: ADB 
TFt: ADB Tku:A 
Irtu:B 


APP 


Figure 2. Typing derivations for simply typed A-calculus 


Correspondingly, the definition of typing derivations? in Figure 2 has an ANNO 
rule enforcing that the type of an annotated term does match the annotation. 
Now we can define what it means to solve the type synthesis problem. 


Definition 2.1. Parametrised by an ‘excuse’ predicate E on raw terms, a type 
synthesiser takes a context I’ and a raw term |I| H t (where |I] is the list of 
variables in I’) as input, and establishes one of the following outcomes: 


1. there exists a derivation of I F t: A for some type A, 
2. there does not exist a derivation I F t: A for any type A, or 
3. E holds for t. 


It is crucial to allow the third outcome, without which we would be requiring 
the type synthesis problem to be decidable, but this requirement would quickly 
become impossible to meet when the theory is extended to handle more complex 
types. If a type synthesiser cannot decide whether there is a typing derivation, 
it is allowed to give an excuse instead of an answer. Acceptable excuses are 
defined by the predicate Æ, which describes what is wrong with an input term, 
for example, not having enough type annotations. 


T t= AJ|A raw term t synthesises a type A under I" 


T t< AJA raw term t checks against a type A under I 


e:A)ETLT TELA rrtsB B=A 
AE ee —_—________ Anno” Subs 
Tra>A Pr(tsA)>A TPrt<=A 
Ix: AFt=B TFtsADB TrusaA 
7 BS~ 2 7 App” 
ThAw.t=ADB TrtusB 


Figure 3. Bidirectional typing derivations for simply typed -calculus 


? We write ‘D’ instead of ‘—’ for the function types of simply typed )-calculus to avoid 
confusion with the function types in our type-theoretic meta-language. 
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V H t? |A raw term t (with free variables in V) is in synthesising mode 


Vit |A raw term t (with free variables in V) is in checking mode 


LEV VEt VH 
VAR? = Anno~ —— Su 
VF? Vi (ts A)? VEt 
Vick t Aps“ VH? VE u” pee 
VE (Qa. t)* V F (tu)? 


Figure 4. Mode derivations for simply typed A-calculus 


Now our goal is to use Definition 2.1 as a specification and implement it using 
a bidirectional type synthesiser, which attempts to produce bidirectional typing 
derivations defined in Figure 3. It is often said that a type synthesis algorithm 
can be ‘read off’ from well-designed bidirectional typing rules. Take the APP? 
rule as an example: to synthesise the type of an application t u, we first synthesise 
the type of t, which should have the form A D B, from which we can extract the 
expected type of u, namely A, and perform checking; then the type of the whole 
application, namely B, can also be extracted from the type AD B. Note that 
the synthesiser is able to figure out the type A for checking u and the type B to 
be synthesised for t u because they have been computed when synthesising the 
type AD B of t. In general, there should be a flow of type information in each 
rule that allows us to determine unknown types (e.g. types to be checked) from 
known ones (e.g. types previously synthesised). This is called mode-correctness, 
which we will formally define in Section 5.1. 

While it is possible for a bidirectional type synthesiser to do its job in one 
go, which can be thought of as adding both mode and typing information to 
a raw term and arriving at a bidirectional typing derivation, it is beneficial to 
have a preprocessing step which adds only mode information, based on which 
the synthesiser then continues to add typing information. More precisely, the 
preprocessing step, which we call mode decoration, attempts to produce mode 
derivations as defined in Figure 4, where the rules are exactly the mode part of 
the bidirectional typing rules (Figure 3). 


Definition 2.2. A mode decorator decides for a raw term V | t whether V F t>. 


One (less important) benefit of mode decoration is that it helps to simplify 
the synthesiser, whose computation can be partly directed by a mode derivation. 
More importantly, whether there is a mode derivation for a term is actually 
very useful information to the user, because it corresponds to whether the term 
has enough type annotations: observe that the ANNO? and SuB~ rules allow 
us to switch between the synthesising and checking modes; the switch from 
synthesising to checking is free, whereas the opposite direction requires a type 
annotation. That is, any term in synthesising mode is also in checking mode, but 
not necessarily vice versa. A type annotation is required wherever a term that can 
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only be in checking mode is required to be in synthesising mode, and a term does 
not have a mode derivation if and only if type annotations are missing in such 
places. (We will treat all these more rigorously in Section 4.) For example, an 
abstraction is strictly in checking mode, but the left sub-term of an application 
has to be synthesising, so a term of the form (Ax.t) u does not have a mode 
derivation unless we annotate the abstraction. 

Perhaps most importantly, mode derivations enable us to give bidirectional 
type synthesisers a tight definition: if we restrict the domain of a synthesiser to 
terms in synthesising mode (i.e. having enough type annotations for performing 
synthesis), then it is possible for the synthesiser to decide whether there is a 
suitable typing derivation. 


Definition 2.3. A bidirectional type synthesiser decides for any context I’ and 
synthesising term |I| H t? whether [+ t > A for some type A. 


Now we can get back to implementing a type synthesiser (Definition 2.1). 


Theorem 2.4. A type synthesiser using ‘not in synthesising mode’ as its excuse 
can be constructed from a mode decorator and a bidirectional type synthesiser. 


The construction is straightforward: run the mode decorator on the input 
term |I| F t. If there is no synthesising mode derivation, report that t is not 
in synthesising mode (the third outcome). Otherwise |I| H t, and we can run 
the bidirectional type synthesiser. If it finds a derivation of [+ t > A for some 
type A, return a derivation of I F t: A (the first outcome), which is possible 
because the bidirectional typing (Figure 3) is sound with respect to the original 
typing (Figure 2); if there is no derivation of [+ t > A for any type A, then 
there is no derivation of I F t : A for any A either (the second outcome), because 
the bidirectional typing is complete: 


Theorem 2.5 (Soundness and Completeness). l H t > A if and only if 
|I|- t andr £t: A. 


We will construct a mode decorator (Section 4.2) and a bidirectional type 
synthesiser (Section 5) and prove the above theorem for all syntax-directed 
bidirectional simple type systems (Section 4.1). To quantify over all such systems, 
we need their general definitions, which we formulate next. 


3 Bidirectionally simply typed languages 


This section provides general definitions of simple types, simply typed languages, 
and bidirectional type systems, and uses the simply typed A-calculus in Section 2 
as our running example. These definitions may look dense, especially on first 
reading. The reader may choose to skim through this section, in particular the 
figures, and still get some rough ideas from later sections. 
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The definitions are formulated in two steps: (i) first we introduce a notion of 
arity and a notion of signature which includes a set? of operation symbols and an 
assignment of arities to symbols; (ii) then, given a signature, we define raw terms 
and typing derivations inductively by primitive rules such as VAR and a rule 
schema for constructs op, indexed by an operation symbol o. As we move from 
simple types to bidirectional typing, the notion of arity, initially as the number 
of arguments of an operation, is enriched to incorporate an extension context for 
variable binding and the mode for the direction of type information flow. 


3.1 Signatures and simple types 


For simple types, the only datum needed for specifying a type construct is its 
number of arguments: 


Definition 3.1. A signature X for simple types consists of a set J with a 
decidable equality and an arity function ar: I — N. For a signature X, a type 
A: Tys(£) over a variable set © is either 


1. a variable in = or 
2. op;(Ai,..., An) for some i: I with ar(i) = n and types Aj,..., An- 


Example 3.2. Function types A D B and typically a base type b are included in 
simply typed A-calculus, and can be specified by the type signature X- consisting 
of operations fun and b where ar(fun) = 2 and ar(b) = 0. Then, all types in 
simply typed A-calculus can be given as X- -types over the empty set, with AD B 
introduced as op,,,(A, B) and b as op,. 


Definition 3.3. The substitution for a function p: £ > Tys(5’), denoted by 
p: Subs(5, 5"), is a map which sends a type A: Tys(©) to A(p) : Tys(5’) and 
is defined as usual. 


3.2 Binding signatures and simply typed languages 


A simply typed language specifies (i) a family of sets of raw terms t indexed by a 
list V of variables (that are currently in scope), where each construct is allowed 
to bind some variables like ABs and to take multiple arguments like APP; (ii) a 
family of sets of typing derivations indexed by a typing context I’, a raw term t, 
and a type A. Therefore, to specify a term construct, we enrich the notion of 
arity with some set of types for typing and extension context for variable binding. 


Definition 3.4 ([13, p. 322]). A binding arity with a set T of types is an 
inhabitant of (T* x T)* x T, where T* is the set of lists over T. In a binding arity 
(((41, A41), ---, (An, An)), A), every A; and A; refers to the extension context 
and the type of the i-th argument, respectively, and A the target type. For brevity, 
it is denoted by [A;]Aj,...,[An]A, > A, where [A,] is omitted if empty. 


3 Even though our theory is developed in Martin-Léf type theory, the term ‘set’ is used 
instead of ‘type’ to avoid the obvious confusion. Indeed, as we assume Axiom K, all 
types are legitimately sets in the sense of homotopy type theory [29, Definition 3.1.1]. 


A Formal Treatment of Bidirectional Typing 123 
Example 3.5. Observe that the ABS and APP rules in Figure 2 can be read as 


extension contexts 


| argument types 
v y y v y 
T, x: A, Ft: B i T,- H-t: ADB r g-u: A 
an 
TrAgx.t: ADB rF rtu: B 
[target types { 


if the empty context - is added verbosely, so they can be specified by arities 
[A]B — (AD B) and (A D B), A > B, respectively, with Tyy_ (A, B) as types. 


Next, akin to a signature, a binding signature {2 consists of a set of operation 
symbols along with their respective binding arities: 


Definition 3.6. For a type signature X, a binding signature 2 is a set O with 
a function 


That is, each inhabitant o : O is associated with a set = of type variables and an 
arity ar(o) with Tys(2) as types denoted by o: £ > [A,]A1,...,[An]An > Ao. 

The set = of type variables for each operation, called its local context, plays an 
important role. To use a rule like ABS in an actual typing derivation, we need to 
substitute concrete types, i.e. types without any type variables, for variables A, B. 
In our formulation of substitution (3.3), we must first identify which type variables 
to substitute for. As such, this information forms part of the arity of an operation, 
and typing derivations, defined subsequently, will include functions p from = to 
concrete types specifying how to instantiate typing rules by substitution. 

By a simply typed language (X, 2), we mean a pair of a type signature X and 
a binding signature 2. Now, we define raw terms for (X, (2) first. 


Definition 3.7. For a simply typed language (X, 2), the family of sets of raw 
terms indexed by a list V of variables consists of (i) (indices of) variables in V, 
(ii) annotations t s A for some raw term t in V and a type A, and (iii) a construct 
op, (@1.t1;.--;Zn-tn) for some o: £ > [A\]Aj,...,[AnJAn > Apo in O, where 
Z;’s are lists of variables whose length is equal to the length of A;, and t;’s are 
raw terms in the variable list V,Z;. These correspond to rules VAR, ANNO, and 
OP in Figure 5 respectively. 


Before defining typing derivations, we need a definition of typing contexts. 


Definition 3.8. A typing context I’: Cxty is formed by - for the empty context 
and I’,x : A for an additional variable x with a concrete type A: Tys,(@). The 
list of variables in T is denoted |I|. 


The definition of typing derivations is a bit more involved. We need some 
information to compare types on the object level during type synthesis and 
substitute those type variables in a typing derivation of I F op,(@1.t1;...;Zn-tn) : 
A for an operation o in 2 at some point. Here we choose to include a substitution 
p from the local context © to É as part of its typing derivation explicitly: 
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V Fs ot] tisa raw term for a language (X, 2) with free variables in V 


sEV -Fs A VEs.at 
— VAR ANNO 
VF s,Q 2 Vis.ateA 
V,%1 Fs, ti eS V, En Fs,a tn 


Op 


V Fx, op, (gı. t1; ki ini ta) 


for o: E > [A,JAi,...,[An]An > Ao in 2 


Figure 5. Raw terms 


Definition 3.9. For a simply typed language (X, 2), the family of sets of typing 
derivations of IH t : A, indexed by a typing context I : Cxty, a raw term t with 
free variables in |I|, and a type A: Ty» (0), consists of 


1. a derivation of Py ga:Aifa:AisinT, 

2. a derivation of l Fso (ts A): Aif TFs ot: A has a derivation, and 

3. a derivation of Il Fs o op,(%1.t1;..-;En-tn) : Ao(p) for some operation 
o: E > [AiJAj,...,[An]JA4n —> Ao if there exist p: E€ — Tyy(@) and a 
derivation of T, 7; : Ai(p) Fso ti : Ai(p) for each i, 


corresponding to rules VAR, ANNO, and OP in Figure 6 respectively. 


Example 3.10. Raw terms (Figure 1) and typing derivations (Figure 2) for simply 
typed -calculus can be specified by the type signature X- (Example 3.2) 
and the binding signature consisting of app: A,B > (AD B),A > B and 
abs: A,B > [AJB > (A D B). Rules ABs and APP in simply typed A-calculus 
are subsumed by the OP rule schema, as applications t u and abstractions Ax. t 
can be introduced uniformly as op,p,)(t,u) and op,y.(2x-t), respectively. 


3.3 Bidirectional binding signatures and bidirectional type systems 


Typing judgements for a bidirectional type system appear in two forms: [+ t > A 
and I F t <4 A. These two typing judgements can be considered as a single 
typing judgement T F t : A indexed by a mode d : Mode, which can be either 
= or <. Therefore, to define a bidirectional type system, we enrich the concept 
of binding arity to bidirectional binding arity, which further specifies the mode 
for each of its arguments and for the conclusion: 


Definition 3.11. A bidirectional binding arity with a set T of types is an 
inhabitant of 
(T* x T x Mode)* x T x Mode. 


For clarity, an arity is denoted by [A1] AŤ, ... , [An] A> — Ad. 
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Example 3.12. Consider the ABs* rule (Figure 3) for Ax.t. It has the arity 
[AJB= > (AD B)‘, indicating additionally that both Ax.t and its argument t 
are checking. Likewise, the APP? rule has the arity (A D B)*,A= > B 


Definition 3.13. For a type signature X, a bidirectional binding signature (2 is 
a set O with 


We write o: £ > [A] AT... , [An] AI” — Ag for an operation o with a variable 
set £ and its bidirectional binding arity with Ty »(£) as types. We call it checking 
if d is < or synthesising if d is =>; similarly, its i-th argument is checking if d; 
is < and synthesising if d; is =>. A bidirectional type system (X, 2) refers to a 
pair of a type signature X and a bidirectional binding signature £9. 


Definition 3.14. For a bidirectional type system (X, 2), 


— the set of bidirectional typing derivations of I Fs p t: A, indexed by a 
typing context I’, a raw term ¢ under |I|, a mode d, and a type A, is defined 
in Figure 7, and particularly 


THs o opiti =i En. tn) d Ao (p) 


has a derivation for 0: Z > [A1] A% ,..., [An] A} — Ad in N if there is 
p: = > Tyy(0) and a derivation of T, Z; : Aj(p) ty, ti :* Ai(p) for each i; 

— the set of mode derivations of V F» 2 t?, indexed by a list V of variables, a 
raw term t under V, and a mode d, is defined in Figure 8. 


The two judgements | l Fs,2 t > A|and |I Fs, t€ AJstand for l Fso t:? A 
and I Fy,qt:~ A, respectively. A typing rule is checking if its conclusion mode 
is = or synthesising otherwise. 


Every bidirectional binding signature (2 gives rise to a binding signature |Q| 
if we erase modes from 2, called the (mode) erasure of N. Hence a bidirectional 
type system (X, 2) also specifies a simply typed language (X, |2|), including raw 
terms and typing derivations. 


Example 3.15. Having established generic definitions, we can now specify simply 
typed A-calculus and its bidirectional type system—including raw terms, (bidirec- 
tional) typing derivations, and mode derivations—using just a pair of signatures 
X- (Example 3.2) and NF which consists of 


abs: A,B > [AJB= + (ADB) and app: A,B >œ (AD B)*,A> >B 


More importantly, we are able to reason about constructions and properties that 
hold for any simply typed language with a bidirectional type system once and 
for all by quantifying over (X, 2). 
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TFs,qat:A 


t has a concrete type A under I for a language (X, 2) 
(c: A)ET 


Prsat:A 
——_—_—— VAR 
Tks,qa2:A 


IFs go (ts A): A 


ANNO 


p : Subs (2,0) T, zı : Alp) Fso ti: Alp) +++ T, Zn : An(p) FE tn : An(p) Op 
I Fso op,(%1.t1;...3%n.tn) : Ao(p) 
for o: E£ > [Ai]Ai,...,[An]An > Ao in R 
Figure 6. Typing derivations 
Tesat:tA 


t has a type A in mode d under I for a bidirectional system (X, 2) 
(cw: A)ET 


rF tT A 
TF Tha ~ 
SRT: 


=— Anno? 
IFs, (ts A) A 


UBS 
TFys.at =A 
P Subs (5, 0) 
P,#: Alp) Fso t1 3% Al) +++ TEn : Anlo) 5,0 tn 2°" An(p) Op 
Pag op,(%1.t13...3En-tn) Bs Ao (p) 


for o: E> [AiJAM,..., [An] Aw” — AG in 2 


Figure 7. Bidirectional typing derivations 


V Fy, t| tis in mode d with free variables in V for (X, 2) 
eV yA Vlog te V Fso t7? 
7 = VAR? az aka ANNO? Lent SuB~ 
V Fso V Fso (ts A) VFs ot 


5 d = d 
V, Zi Fy ti V,@n Fag tn" 


E > d Op 
V Fao op,(%1.t1;...;n-tn) 


for o: E> [A]AF,..., [An] A$” > AG 


Figure 8. Mode derivations 
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4 Mode decoration and related properties 


Our first important construction is mode decoration in Section 4.2, which is in 
fact generalised to pinpoint any missing type annotations in a given raw term. 
We discuss some related properties: by bringing mode derivations into the picture, 
we are able to give a natural formulation of soundness and completeness of a 
bidirectional type system with respect to its erasure to an ordinary type system 
in Section 4.1. We also reformulate annotatability [10, Section 3.2] and compare 
it with our completeness and generalised mode decoration in Section 4.3. 


4.1 Soundness and completeness 


Erasure of a bidirectional binding signature removes modes and keeps everything 
else intact; this can be straightforwardly extended by induction to remove modes 
from a bidirectional typing derivation and arrive at an ordinary typing derivation, 
which is soundness. Alternatively, we can remove typing and retain modes, arriving 
at a mode derivation. Conversely, if we have both mode and typing derivations 
for the same term, we can combine them to form a bidirectional typing derivation, 
which is completeness. In short, soundness and completeness are merely the 
separation and combination of mode and typing information carried by the three 
kinds of derivations while keeping their basic structure, directed by the same raw 
term. All these can be summarised in one theorem and proved by induction. 


Theorem 4.1. [b+ y.qt:7 A if and only if both |T| Fy,q t? and T Fs ja) t:A. 


4.2 Generalised mode decoration 


The goal of this section is to construct a mode decorator, which decides for any 
raw term V Fy ojt and mode d whether V Fy, t? or not. In fact we shall do 
better: if a mode decorator returns a proof that no mode derivation exists, that 
negation proof does not give useful information for the user. It will be helpful if a 
decorator can produce an explanation of why no mode derivation exists, and even 
how to fix the input term to have a mode derivation. We will construct such a 
generalised mode decorator (Theorem 4.4), which can be weakened to an ordinary 
mode decorator (Corollary 4.6) if the additional explanation is not needed.* 
Intuitively, a term does not have a mode derivation exactly when there 
are not enough type annotations, but such negative formulations convey little 
information. Instead, we can provide more information by pointing out the 
places in the term that require annotations. For a bidirectional type system, an 
annotation is required wherever a term is ‘strictly’ (which we will define shortly) 
in checking mode but required to be in synthesising mode, in which case there 
is no rule for switching from checking to synthesising, and thus there is no way 
to construct a mode derivation. We can, however, consider generalised mode 
derivations (Figure 9) that allow the use of an additional MIssING™ rule for such 


t For the sake of simplicity, we use ordinary mode decoration elsewhere in this paper. 
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is in mode d, 
V Fx t195 |£ misses some type annotation iff g = F, and 
is in mode d due to an outermost mode cast iff s = F 


crEeV -FoA VFegi 9 
— r VAR™ — r Anno? 
V Fagor V Fso (ts A)7I 
Viks.qt@97 V EFs gt? 97 
—— p Missina? —— y SUBT 
V Fsot VFs ot g 
V, Zi Fsg Ha gı $1 en V, En ks. tn?” In Sn és 
V Fs, op, (Titi bs En. tn) Ai 9) T 


Figure 9. Generalised mode derivations 


switching, so that a derivation can always be constructed. Given a generalised 
mode derivation, if it uses MISSING~ in some places, then those places are exactly 
where annotations should be supplied; if it does not use MISSING”, then the 
derivation is genuine in the sense that it corresponds directly to an original mode 
derivation. This can be succinctly formulated as Lemma 4.2 below by encoding 
genuineness as a boolean g in the generalised mode judgement, which is set to F 
only by the MissING~ rule. (Ignore the boolean s for now.) 


Lemma 4.2. If V Fy o t!TS, then V Fy gott. 


We also want a lemma that covers the case where g = F. 


Lemma 4.3. If V Fy o tfs, then V Kyo t. 


This lemma would be wrong if the ‘strictness’ boolean s was left out of the 
rules: having both SuB* and MIssinG™, which we call mode casts, it would be 
possible to switch between the two modes freely, which unfortunately means 
that we could insert a pair of SUB and MISsING~ anywhere, constructing a 
non-genuine derivation even when there is in fact a genuine one. The ‘strictness’ 
boolean s can be thought of as disrupting the formation of such pairs of mode 
casts: every rule other than the mode casts sets s to T, meaning that a term 
is strictly in the mode assigned by the rule (i.e. not altered by a mode cast), 
whereas the mode casts set s to F. Furthermore, the sub-derivation of a mode 
cast has to be strict, so it is impossible to have consecutive mode casts. Another 
way to understand the role of s is that it makes the MIssING~ rule precise: an 
annotation is truly missing only when a term is strictly in checking mode but is 
required to be in synthesising mode. The explicit formulation of strictness makes 
non-genuine derivations ‘truly non-genuine’, and Lemma 4.3 can be proved. 

Now we are ready to construct a generalised mode decorator. 


Theorem 4.4 (Generalised mode decoration). For any raw term V Fy jot 
and mode d, there is a derivation of V Fy n t95 for some g and s. 
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The theorem could be proved directly, but that would mix up two case analyses 
which respectively inspect the input term t and apply mode casts depending on 
which mode d is required. Instead, we distill the case analysis on d that deals 
with mode casts into the following Lemma 4.5, whose antecedent (1) is then 
established by induction on t in the proof of Theorem 4.4. 


Lemma 4.5. For any raw term V Fy jo t, of 


V Fy t79 T for some mode d' and boolean g' (1) 
then for any mode d, there is a derivation of V Fso t9: for some g and s. 
With a generalised mode decorator, it is now easy to derive an ordinary one. 


Corollary 4.6 (Mode decoration). Itis decidable whether V Fy p tê. 


4.3 Annotatability 


Dunfield and Krishnaswami [10, Section 3.2] formulated completeness differently 
from our Theorem 4.1 and proposed annotatability as a more suitable name. In 
our theory, we may reformulate annotatability as follows. 


Proposition 4.7 (Annotatability). IfI Fs jot: A, then there exists t such 
that t Dt and T +s gt’ “A for some d. 


Defined in Figure 10, the ‘annotation ordering’ t’ I t means that t has the same 
or more annotations than t. In a sense, annotatability is a reasonable form of 
completeness: if a term of a simply typed language (X, |9|) is typable in the 
ordinary type system, it may not be directly typable in the bidirectional type 
system (X, 2) due to some missing annotations, but will be if those annotations 
are added correctly. In our theory, Proposition 4.7 can be straightforwardly proved 
by induction on the derivation given by generalised mode decoration (Theorem 4.4) 
to construct a bidirectional typing derivation in the same mode. The interesting 
case is MISSING”, which is mapped to ANNO~, adding to the term a type 
annotation that comes from the given typing derivation. 


tlu A raw term t is more annotated than u 


Coley ttlu 
——_— MORE VAR — ~~~ ANNO 
(t: A) Du ae (ts A) I (us A) 
- ti = ui "a Un - OP 
op, (Tisti eosi Initan) S Op, (TLU eei Eastin) 


Figure 10. Annotation ordering between raw terms 
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On the other hand, when using a bidirectional type synthesiser to implement a 
type synthesiser, for example in Theorem 2.4, if the bidirectional type synthesiser 
concludes that there does not exist a bidirectional typing derivation, we use the 
contrapositive form of completeness to establish that such an ordinary typing 
derivation does not exist either. Now, annotatability is a kind of completeness 
because (roughly speaking) it turns an ordinary typing derivation bidirectional. 
Hence, it is conceivable that we could use annotatability in place of completeness 
in the proof of Theorem 2.4. However, in the contrapositive form of annotatability, 
the antecedent is ‘there does not exist t’ that is more annotated than t and has a 
bidirectional typing derivation’, which is more complex than the bidirectional 
type synthesiser would have to produce. Annotatability also does not help the 
user to deal with missing annotations: although annotatability seems capable of 
determining where annotations are missing and even filling them in correctly, 
its antecedent requires a typing derivation, which is what the user is trying to 
construct and does not have yet. Therefore we believe that our theory offers 
simpler and more useful alternatives than the notion of annotatability. 


5 Bidirectional type synthesis and checking 


This section focuses on defining mode-correctness and deriving bidirectional 
type synthesis for any mode-correct bidirectional type system (X, 2). We start 
with Section 5.1 by defining mode-correctness and showing the uniqueness of 
synthesised types. This uniqueness means that any two synthesised types for the 
same raw term t under the same context I’ have to be equal. It will be used 
especially in Section 5.2 for the proof of the decidability of bidirectional type 
synthesis and checking. Then, we conclude this section with the trichotomy on 
raw terms in Section 5.3. 


5.1 Mode correctness 


As Dunfield and Krishnaswami [10] outlined, mode-correctness for a bidirectional 
typing rule means that (i) each ‘input’ type variable in a premise must be an 
‘output’ variable in ‘earlier’ premises, or provided by the conclusion if the rule is 
checking; (ii) each ‘output’ type variable in the conclusion should be some ‘output’ 
variable in a premise if the rule is synthesising. Here ‘input’ variables refer to 
variables in an extension context and in a checking premise. It is important to 
note that the order of premises in a bidirectional typing rule also matters, since 
synthesised type variables are instantiated incrementally during type synthesis. 
Consider the rule ABs“ (Figure 3) as an example. This rule is mode-correct, 
as the type variables A and B in its only premise are already provided by its 
conclusion A D B. Likewise, the rule APP? for an application term t u is mode- 
correct because: (i) the type A D B of the first argument t is synthesised, thereby 
ensuring type variables A and B must be known if successfully synthesised; (ii) the 
type of the second argument u is checked against A, which has been synthesised 
earlier; (iii) as a result, the type of an application t u can be synthesised. 
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Now let us define mode-correctness rigorously. As we have outlined, the 
condition of mode-correctness for a synthesising rule is different from that of 
a checking rule, and the argument order also matters. Defining the condition 
directly for a rule, and thus in our setting for an operation, can be somewhat 
intricate. Instead, we choose to define the conditions for the argument list—more 


specifically, triples [A;] AZ of an extension context Aj, a type A;, and a mode 
d;—pertaining to an operation, for an operation, and subsequently for a signature. 
We also need some auxiliary definitions for the subset of variables of a type and 
of an extension context, and the set of variables that have been synthesised: 


Definition 5.1. The finite subsets” of (free) variables of a type A and of variables 
in an extension context A are denoted by fv(A) and fu(A) respectively. For an 
argument list [A1] AF ,... , [An] A2” , the set of type variables A with d; being > 
is denoted by fu ([AiJA",..., [An] A2), i.e. fu? gives the set of type variables 
that will be synthesised during type synthesis. 


d 
Definition 5.2. The mode-correctness MCas (raqa) for an argument list 


147,- An] AS” with respect to a subset S of £ is a predicate defined by 
A An] A2” with bset S of d defined b 
MCas(-) = T 
——> ——> ——> 
MCas ((4saz, janja?) = fu(An, An) C (sup (raa) ) A MCas (raat) 
— — ——> 
MCas (raa, n]a? ) =  fu(An) C (sup (raa) ) A MCas (raa) 


where MC,s(-) = T means that an empty list is always mode-correct. 


This definition encapsulates the idea that every ‘input’ type variable, possibly 
derived from an extension context Ap or a checking argument An, must be an 


‘output’ variable from fv? ([A;]A%") or, if the rule is checking, belong to the 
set S of ‘input’ variables in its conclusion. This condition must also be met for 
every tail of the argument list to ensure that ‘output’ variables accessible at each 
argument are from preceding arguments only, hence an inductive definition. 


Definition 5.3. An arity [41] A% ,... , [An] A2” — Ag is mode-correct if 
1. either d is <, its argument list is mode-correct with respect to fu(Ao), and 
—> 
the union fu(Ao) U fv? ([4;] A) contains every inhabitant of Z; 


2. or dis >, its argument list is mode-correct with respect to 0, and fu~ ({A;]A“") 
contains every inhabitant of = and, particularly, fu(Ao). 


A bidirectional binding signature 2 is mode-correct if every operation’s arity is 
mode-correct. 


5 There are various definitions for finite subsets of a set within type theory, but for our 
purposes the choice among these definitions is not a matter of concern. 
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For a checking operation, an ‘input’ variable of an argument could be derived 
from Ap, as these are known during type checking as an input. Since every 
inhabitant of = can be located in either Ap or synthesised variables, we can 
determine a concrete type for each inhabitant of = during type synthesis. On the 
other hand, for a synthesising operation, we do not have any known variables at 
the onset of type synthesis, so the argument list should be mode-correct with 
respect to Ø. Also, the set of synthesised variables alone should include every 
type variable in = and particularly in Apn. 


Remark 5.4. Mode-correctness is fundamentally a condition for bidirectional 
typing rules, not for derivations. Thus, this property cannot be formulated without 
treating rules as some mathematical object such as those general definitions in 
Section 3. This contrasts with the properties in Section 4, which can still be 
specified for individual systems in the absence of a general definition. 


It is easy to check the bidirectional type system (2/5, 2°) for simply typed 
A-calculus is mode-correct by definition or by the following lemma: 


Lemma 5.5. For any bidirectional binding arity [A1] A% ,... , [An] A2" > Ad, it 
is decidable whether it is mode-correct. 


Now, we set out to show the uniqueness of synthesised types for a mode- 
correct bidirectional type system. For a specific system, its proof is typically 
a straightforward induction on the typing derivations. However, since mode- 
correctness is inductively defined on the argument list, our proof proceeds by 
induction on both the typing derivations and the argument list: 


Lemma 5.6 (Uniqueness of synthesised types). In a mode-correct bidirec- 
tional type system (X, Q), the synthesised types of any two derivations 


Trsaqt=>A and TIFyeat=>B 
for the same term t must be equal, i.e. A= B. 


Proof. We prove the statement by induction on derivations dı and də for I Fy, o 
t => A and I Fy, o t= B. Our system is syntax-directed, so dı and dz must be 
derived from the same rule: 


— VAR? follows from the fact that each variable as a raw term refers to the 
same variable in its context. 

— ANNO?” holds trivially, since the synthesised type A is from the term t3 A 
in question. 

— Op: Recall that a derivation of I H op, (Z1. t1;...;Zn-tn) => A contains a 
substitution p from the local context Æ to concrete types. To prove that 
any two typing derivations has the same synthesised type, it suffices to 
show that those substitutions pı and p2 of dı and d2, respectively, agree on 
variables in fv? ([A,]A{",...,[An]A@) so that Ao(p1) = Ao(p2). We prove 
it by induction on the argument list: 

1. For the empty list, the statement is vacuously true. 
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2. If dj, is <=, then the statement holds by induction hypothesis. 

3. If djs, is >, then Aj;41(p1) = Aj11(p2) by induction hypothesis (of the 
list). Therefore, under the same context I, Aj41(p1) = T, Ai+1 (p2) the 
term t;+ı must have the same synthesised type Aj+1(91) = Ai+1(p1) by 
induction hypothesis (of the typing derivation), so pı and p2 agree on 
fu(Ais1) in addition to fu? ([A1] AÙ, ... , [An] A2). 


5.2 Decidability of bidirectional type synthesis and checking 
We have arrived at the main technical contribution of this paper. 
Theorem 5.7. In a mode-correct bidirectional type system (X, Q), 


1. if || y.9 t”, then it is decidable whether I Fs o t > A for some A; 
2. if |I| Fso t7, then it is decidable for any A whether [Fy gt <A. 


The interesting part of the theorem is the case for the OP rule. We shall 
give its insight first instead of jumping into the details. Recall that a typing 
derivation for op,(@1.t1;...;Zn.tn) contains a substitution p: = > Tys(0). The 
goal of type synthesis for this case is exactly to define such a substitution p, 
and we have to start with an ‘accumulating’ substitution: a substitution po 
that is partially defined on fv(Ag) if d is < or otherwise nowhere. By mode- 
correctness, the accumulating substitution p; will be defined on enough synthesised 
variables so that type synthesis or checking can be performed on t; with the 
context I’, 7; : A;(p;) based on its mode derivation |I|, Z; Fs, i, If we visit a 
synthesising argument [4;+1] A71, then we may extend the domain of p; to pj+41 
with the synthesised variables fu(A;+1), provided that type synthesis is successful 
and that the synthesised type can be unified with A;,1. If we go through every 
ti successfully, then we will have a total substitution pn by mode-correctness and 
a derivation of T, Zi : A; Fy,o ti :* A(pn) for each sub-term t;. 


Remark 5.8. To make the argument above sound, it is necessary to compare 
types and solve a unification problem. Hence, we assume that the set = of type 
variables has a decidable equality, thereby ensuring that the set Ty >(£) of types 
also has a decidable equality.° 


We need some auxiliary definitions for the notion of extension to state the 
unification problem: 


Definition 5.9. By an extension o > p of a partial substitution p we mean that 
the domain dom(c) of o contains the domain of p and o(x) = p(x) for every x 
in dom(p). By a minimal extension p of p satisfying P we mean an extension 
p> p with P(p) such that o > p whenever o > p and P(o). 


6 To simplify our choice, we may confine £ to any set within the family of sets Fin(n) 
of naturals less than n, given that these sets have a decidable equality and the arity 
of a type construct is finite. Indeed, in our formalisation, we adopt Fin(n) as the 
set of type variables in the definition of Ty». For the sake of clarity in presentation, 
though, we just use named variables and assume that = has a decidable equality. 
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Lemma 5.10. For any A of Tys(5), B of Tys(), and a partial substitution 
p: Z + Tys(@), either 


1. there is a minimal extension p of p such that A(p) = B, or 
2. there is no extension o of p such that Alo) = B 


This lemma can be derived from the correctness of first-order unification [21, 22], 
or be proved directly without unification. We are now ready for Theorem 5.7: 


Proof (of Theorem 5.7). We prove this statement by induction on the mode 
derivation |I| Fy, tt. The two cases VAR? and ANNO? are straightforward 
and independent of mode-correctness. The case SUBT invokes the uniqueness of 
synthesised types to refute the case that [ Fy n t > B but A Æ B for a given 
type A. The first three cases follow essentially the same reasoning provided by 
Wadler et al. [30], so we only detail the last case OP, which is new (but has been 
discussed informally above). For brevity we omit the subscript (X, Q). 
For a mode derivation of |I| + op, (1. t1;...;2%n.tn)%, we first claim: 


Claim. For an argument list [Ay] A®,... , [An] A?” and any partial substitution 
p from = to f, either 


1. there is a minimal extension J of p such that 
dom(p) 2 fo? ((AiJA®,...,[AnJAg) and T, Z; : Ai(p) F ti: Alp) (2) 


fori =1,...,n, or 
2. there is no extension ø of p such that (2) holds. 


Then, we proceed with a case analysis on d in the mode derivation: 


— dis =: We apply our claim with the partial substitution pọ defined nowhere. 
1. Ifthere is no ø > p such that (2) holds but I F op, (@1.t1;...;%n-tn) >A 
for some A, then by inversion we have p: Subs (2,0) such that 


for every i. Obviously, p > pp and T, g; : Aj(p) F ti: Ailo)” for every i, 
which contradict the assumption that no such extension exists. 

2. If there exists a minimal p > po defined on fu~ ({Ai]AM,..., [An] A") 
such that (2) holds, then by mode-correctness J is total, and thus 


Te op, (zı. tı; slaw ‘Dne ty) => Apo (p) . 


— dis <: Let A be a type and apply Lemma 5.10 with po defined nowhere. 
1. If there is no ø > po s.t. Aolo) = A but I F op, (41. t1;...;Zn-tn) = A, 
then inversion gives us a substitution p s.t. A = Ao(p)—a contradiction. 
2. If there is a minimal J > po s.t. Ag(p) = A, then apply our claim with J: 
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(a) If no o > p satisfies (2) but I F op, (%1.t1;..-3Zn-tn) <= A, then 
by inversion there is y s.t. Ag(y) = A and T, T; : Aj(y) F ti: Ai(y)™ 
for every i. Given that fp > p is minimal s.t. Ao(f) = A, it follows 
that y is an extension of p, but by assumption no such an extension 
satisfying T, 7; : A;(7) F ti: Aj(y)“ exists, thus a contradiction. 

(b) If there is a minimal p > J s.t. (2), then by mode-correctness J is 
total and 

Te op, (21. O15 ns Dns tn) = Ao (p) 


where Ag(p) = Ao(p) = A since p(x) = p for every x in dom(p). 


We have proved the decidability by induction on the derivation of |I| Fso tt, 
assuming the claim. 


Proof (of Claim). We prove it by induction on the list [Ay] AF ,... , [An] A2: 


1. For the empty list, p is the minimal extension of p itself satisfying (2) trivially. 
2. For [A;] A”, 
cases: 
(a) If there is no ø > p s.t. (2) holds for all 1 <i < m but a minimal y > p 
such that (2) holds for all 1 < i < m + 1, then we have a contradiction. 
(b) There is a minimal J > p s.t. (2) holds for 1 < i < m. By case analysis 
on dm+1: 
— dm+1 is <=: By mode-correctness, Ay,+1(6) and Am+1(p) are defined. 
By the ind. hyp. T, Zm+1 : Am+1(p) F tm+1 <= Am+1(/) is decidable. 
Clearly, if T, Zm+1 : Am+4i(p) F tm+1 <= Am+1(p) then the desired 
statement is proved; otherwise we easily derive a contradiction. 
— dm+1 is =>: By mode-correctness, A,,+1(p) is defined. By the ind. 
hyp., ‘T, Zm+1 : Am+1())  tm41 = A for some A’ is decidable: 
i. f I, m41 : m41 (P) F tm+1 = A for any A but there is y > 
p s.t. (2) holds for 1 < i < m + 1, then y > p. Therefore 
Am+i(p) = Am+1(7), and we derive a contradiction because 
i, Tm4i : Am-+1(p) F tm41 > Am+1(Y)- 
ii. If T, Zm+1 : Am+i(p)  tm41 = A for some A, then Lemma 5.10 
gives the following two cases: 
e Suppose no o > fs.t. Am+1(0) = A but an extension y > ps.t. 
(2) holds for 1 <i < m + 1. Then, y > J by the minimality of 
p and thus T, Zm41: Am+i(p) F tm41 => Am+i(y). However, 
by Lemma 5.6, the synthesised type Am4+1(7) must be unique, 
so y is an extension of J s.t. Am4i(7) = A, i.e. a contradiction. 
e If there is a minimal J > J such that A,,41(p) = A, then it is 
not hard to show that J is also the minimal extension of p such 
that (2) holds for all 1 <i<m-+1. 


Anala by induction hypothesis on the list, we have two 


We have proved our claim for any argument list by induction. a 


We have completed the proof of Theorem 5.7. 
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The formal counterpart of the above proof in AGDA functions as two top-level 
programs for type checking and synthesis. These programs provide either the 
typing derivation or its negation proof. Each case analysis branches depending 
on the outcomes of bidirectional type synthesis and checking for each sub-term, 
as well as the unification process. If a negation proof is not of interest in practice, 
these programs can be simplified by discarding the cases that yield negation proofs. 
Alternatively, we could consider generalising typing derivations instead, like our 
generalised mode derivations (Figure 9), to reformulate negation proofs positively 
to deliver more informative error messages. This would assist programmers in 
resolving issues with ill-typed terms, rather than returning a blatant ‘no’. 


5.3 Trichotomy on raw terms by type synthesis 


Combining the bidirectional type synthesiser with the mode decorator, soundness, 
and completeness from Section 4, we derive a type synthesiser parameterised 
by (X, 2), generalising Theorem 2.4. 


Corollary 5.11 (Trichotomy on raw terms). For any mode-correct bidirec- 
tional type system (X, Q), exactly one of the following holds: 

1. |T| Fso t” and T Fso t: A for some type A, 

2. |T| Fso t” but PK 5) 9) t: A for any type A, or 

3. IC | Fs.9 Ae 


6 Examples 


To exhibit the applicability of our approach, we discuss two more examples: one 
has infinitely many operations and the other includes many more constructs than 
simply typed A-calculus, exhibiting the practical side of a general treatment. 


6.1 Spine application 


A spine application t uy, ... Un is a form of application that consists of a 
head term ¢ and an indeterminate number of arguments u1, U2, ..., Un. This 
arrangement allows direct access to the head term, making it practical in various 
applications, and has been used by AGDA’s core language. 

At first glance, accommodating this form of application may seem impossible, 
given that the number of arguments for a construct is finite and has to be fixed. 
Nonetheless, the total number of operation symbols in a signature need not be 
finite, allowing us to establish a corresponding construct for each number n of 
arguments, i.e. viewing the following rule 


Pts AyD (A2D(-::D (AnD B)...)) True Ai vee DF un = An 
Crtu ... Uun >B 


as a rule schema parametrised by n, so the signature 27 can be extended with 


appn: A1; ---, An, B > AyD (42D (D (An D B)... AP AS >B 


Each application t u1 ... Un can be introduced as op,,, (t; U1; . -3 Un), thereby 
exhibiting the necessity of having an arbitrary set for operation symbols. 
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6.2 Computational calculi 


Implementing a stand-alone type synthesiser for a simply typed language is 
typically a straightforward task. However, the code size increases proportionally 
to the number of type constructs and of arguments associated with each term 
construct. For example, when dealing with a fixed number n of type constructs, 
for each synthesising construct there are two cases for a checking argument but 
n+1 cases for each synthesising argument: the successful synthesis of the expected 
type, an instance where it fails, or n — 1 cases where the expected type does not 
match. Thus, having a generator is helpful and can significantly reduce the effort 
for implementation. 

For illustrative purposes, consider a computational calculus [23] with naturals, 
sums, products, and general recursion. The extended language has ‘only’ 15 
constructs, including pairing, projections, injections, and so on, and this number 
of constructs is still far fewer than what a realistic programming language would 
have. Even for this small calculus, there are already nearly 100 possible cases to 
consider in bidirectional type synthesis. 

On the other hand, similar to a parser generator, only one specification is 
needed for a type-synthesiser generator from the user to produce a corresponding 
type synthesiser. Such a specification can be derived by extending (X>, QF ) 
accordingly for additional types and constructs with mode-correctness proved by 
applying Lemma 5.5, so its type synthesiser follows from Corollary 5.11 directly. 


7 Discussion 


We believe that our formal treatment lays a foundation for further investigation, 
as the essential aspects of bidirectional typing have been studied rigorously. While 
our current development is based on simply typed languages to highlight the core 
ideas, it is evident that many concepts and aspects remain untouched. 


Language formalisation frameworks The idea of presenting logics universally 
at least date back to universal algebra and model theory, where structures are 
studied for certain notions of arities and signatures. In programming language 
theory, Aczel’s binding signature [1] is an example which has been used to prove a 
general confluence theorem. Many general definitions and frameworks for defining 
logics and type theories have been proposed and can be classified into two groups 
by where signatures reside—the meta level or the object level of a meta-language: 


1. Harper et al.’s logical framework LF [17] and its family of variants [5, 11, 18, 25] 
are extensions of Martin-Léf type theory, where signatures are on the meta 
level and naturally capable of specifying dependent type theories; 

2. general dependent type theories [6, 7, 19, 28], categorical semantics [4, 12-16, 
26, 27| (which includes the syntactic model as a special case), and frameworks 
for substructural systems [26, 27, 32] are developed within a meta-theory 
(set theory or type theory), where signatures are on the object level and their 
expressiveness varies depending on their target languages. 
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The LF family is expressive, but each extension is a different metalanguage 
and requires a different implementation to check formal LF proofs. Formalising LF 
and its variants is at least as complicated as formalising a dependent type theory, 
and they are mostly implemented separately from their theory and unverified. 

For the second group, theories developed in set theory can often be restated 
in type theory and thus manageable for formalisation in a type-theoretic proof 
assistant. Such examples include frameworks developed by Ahrens et al. [2], Allais 
et al. [3], Fiore and Szamozvancev [14], although these formal implementations 
are limited to simply typed theories for now. 

Our work belongs to the second group, as we aim for a formalism in a type 
theory to minimise the gap between theory and implementation. 


Beyond simple types Bidirectional type synthesis plays a crucial role in 
handling more complex types than simple types, and we sketch how our the- 
ory can be extended to treat a broader class of languages. First, we need a 
general definition of languages in question (Sections 3.1 and 3.2). Then, this 
definition can be augmented with modes (Section 3.3) and the definition of 
mode-correctness (Definition 5.3) can be adapted accordingly. Soundness and 
completeness (Theorem 4.1) should still hold, as they amount to the separation 
and combination of mode and typing information for a given raw term (in a 
syntax-directed formulation). Mode decoration (Section 4.2), which annotates a 
raw term with modes and marks missing annotations, should also work. As for 
the decidability of bidirectional type synthesis, we discuss two cases involving 
polymorphic types and dependent types below. 


Polymorphic types In the case of languages like System F and others that permit 
type-level variable binding, we can start with the notion of polymorphic signature, 
as introduced by Hamana [16]—(i) each type construct in a signature is specified 
by a binding arity with only one type *, and (ii) a term construct can employ a 
pair of extension contexts for term variables and type variables. 

Extending general definitions for bidirectional typing and mode derivations 
from Hamana’s work is straightforward. For example, the universal type Va. A 
and type abstraction in System F can be specified as operations all : x > [x]x > * 
and tabs : [x] A > (*) A= —> op,(a.A)“. The decidability of bidirectional type 
synthesis (Theorem 5.7) should also carry over, as no equations are imposed 
on types and no guessing (for type application) is required. Adding subtyping 
A <: B to languages can be done by replacing type equality with a subtyping 
relation <: and type equality check with subtyping check, so polymorphically 
typed languages with subtyping such as System Fe. can be specified. The main 
idea of bidirectional typing does not change, so it should be possible to extend 
the formal theory without further assumptions too. 

However, explicit type application in System F and System F<; is impractical 
but its implicit version results in a stationary rule |20| which is not syntax-directed. 
By translating the rule to subtyping, we have the instantiation problem that 
requires guessing B in Va.A <: A[B/a]. A theory that accommodates various 
solutions to the problem is left as future work. 
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Dependent types Logical frameworks with bidirectional typing are proposed by 
Reed [25] and Felicissimo [11]. Felicissimo’s framework is more expressive than 
Reed’s, due to its ability to specify rewriting rules. Both frameworks extend LF, 
enabling generic bidirectional type checking for dependent type theories. They 
also incorporate notions of signatures and mode-correctness (called strictness 
and validity, respectively, in their contexts) but differ from ours in several ways. 

First, the number of operations introduced by a signature in LF is finite, 
so constructs like spine application seem impossible to define. Second, Reed 
and Felicissimo deal with decorated raw terms only, while our theory bridges 
the gap between ordinary and decorated raw terms by mode decoration. Lastly, 
Felicissimo classifies operations a priori into introduction and elimination rules, 
and follows the Pfenning recipe assigning, for example, the synthesising mode to 
each elimination rule and its principal argument. As pointed out by Dunfield and 
Krishnaswami that bidirectional typing is essentially about managing information 
flow, and that some systems remarkably deviate from this recipe, we do not 
enforce it but establish our results on any reasonable information flow. 


Beyond syntax-directedness To relax the assumption of syntax-directedness, 
we could start from a simple but common case where the ordinary typing part 
is still syntax-directed, but each typing rule is refined to multiple bidirectional 
variants, including different orders of its premises. In such cases, the mode 
decorator would need to backtrack and find all mode derivations, but the type 
synthesiser should still work in a syntax-directed manner on each mode derivation. 
Completeness could still take the simple form presented in this paper too. 
Next, we could consider systems where each construct can have multiple 
typing rules, which can further have multiple bidirectional variants. In this 
setting, the bidirectional type synthesiser will also need to backtrack. It is still 
possible to treat soundness as the separation of mode and type information, but 
completeness will pose a problem: for every raw term, a mode derivation chooses 
a mode assignment while a typing derivation chooses a typing rule, but there 
may not be a bidirectional typing rule for this particular combination. A solution 
might be refining completeness to say that any typing derivation can be combined 
with one of the possible mode derivations into a bidirectional typing derivation. 


Towards a richer formal theory There are more principles and techniques 
in bidirectional typing that could be formally studied in general, with one 
notable example being the Pfenning recipe for bidirectionalising typing rules [10, 
Section 4]. There are also concepts that may be hard to fully formalise, for 
example ‘annotation character’ [10, Section 3.4], which is roughly about how easy 
it is for the user to write annotated programs, but it would be interesting to 
explore to what extent such concepts can be formalised. 
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Abstract. Bidirectional typing is a discipline in which the typing judg- 
ment is decomposed explicitly into inference and checking modes, allow- 
ing to control the flow of type information in typing rules and to specify 
algorithmically how they should be used. Bidirectional typing has been 
fruitfully studied and bidirectional systems have been developed for many 
type theories. However, the formal development of bidirectional typing 
has until now been kept confined to specific theories, with general guide- 
lines remaining informal. In this work, we give a generic account of bidi- 
rectional typing for a general class of dependent type theories. This is 
done by first giving a general definition of type theories (or equivalently, a 
logical framework), for which we define declarative and bidirectional type 
systems. We then show, in a theory-independent fashion, that the two 
systems are equivalent. This equivalence is then explored to establish the 
decidability of typing for weak normalizing theories, yielding a generic 
type-checking algorithm that has been implemented in a prototype and 
used in practice with many theories. 


Keywords: Type Theory - Bidirectional Typing - Logical Frameworks 


1 Introduction 


Algebraic [13,7] and logical framework [27,45,8,21] presentations of dependent 
type theories suffer from the verbosity of the required explicit type annotations, 
which destroys any hope of practical usability. In these settings, every type 
argument must be explicitly spelled out: an application is written as t@,4\y Bu, 
a dependent pair as (t, u}A,x.g, cons as t ::4 l and the list goes on. 

In order to restore usability, standard presentations of dependent type the- 
ories omit the majority of these annotations, so one writes t u for application, 
(t,u) for a dependent pair, t :: L for cons, etc. This unannotated syntax is so 
common that readers not familiar with algebraic presentations of type theory 
might not even realize that an omission is being made. 

The omission of type arguments has nevertheless a cost: because knowing 
them is still important when typing terms, it becomes unclear how to do this 
algorithmically, even when decidability of conversion holds. Take for instance 
the typing rule for the dependent pair: in order to type (t, u} one needs to guess 
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the arguments A and B, as unlike for the fully-annotated version (t, uv) 4.x. these 
are not stored in the syntax. 
I+ A type T,x: At B type Ttt:A Tru: Bit/x] 
T+ (t,u) : ix: A.B 


A solution to this problem is provided by bidirectional typing [35,16,19,20,41]. 
In this typing discipline, the declarative typing judgment I+ t : A is decomposed 
explicitly into inference [+ t = A, where I and ¢ are inputs and A is an output, 
and checking [+ t = A, where I, ¢ and A are all inputs. The important point 
is that, by using these new judgments to control the flow of type information in 
a typing rule, one can specify algorithmically how the rule should be used. For 
instance, the following rule clarifies how one should type (t, u): the types A and 
B are not to be guessed, but instead recovered from the type C, which should 
be given as input. 


C —* Xx: A.B TrreA Tru & Bit/x] 
T+ (t,u}& C 


We therefore see that bidirectional typing is the natural companion for an 
unannotated syntax, as it allows to algorithmically explain how the missing 
information can be retrieved. 

Bidirectional typing has been fruitfully studied and bidirectional systems 
have been developed for many type theories [16,33,25,1,38,2]. However, the for- 
mal development of bidirectional typing has until now remained confined to 
specific theories, with general guidelines remaining informal. One can then nat- 
urally wonder if it would be possible to define a framework in which bidirectional 
typing could be studied generically, putting its general theory in solid ground. 
This is exactly the goal of this paper. 

We contribute a theory-independent account of bidirectional typing. For this, 
we start by giving a general definition of type theories (or equivalently, a logical 
framework), which differs from previous frameworks [45,29] by allowing for the 
usual unannotated syntaxes most often used in practice. Each such theory then 
defines a declarative type system, which is shown to satisfy good properties like 
weakening, substitution and, for well-behaved theories, subject reduction. 

Then, to formulate our bidirectional system we first address the known prob- 
lem that some unannotated terms cannot be algorithmically typed [18]. We pro- 
pose generic notions of inferable and checkable terms which, for non-degenerate 
theories, coincide respectively with neutrals and normal forms, and then for- 
mulate our bidirectional system for this subset of terms. As argued in previous 
works [38,1], this restriction is reasonable because users of type theory usually 
only write terms in normal form. We then show, in a theory-independent fash- 
ion, that the bidirectional system is sound and complete with respect to the 
declarative system, establishing an equivalence between the two. 

This equivalence is then explored to establish, for weak normalizing theories, 
the decidability of inference for inferable terms, and the decidability of checking 
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for checkable terms. This proof gives rise to generic type inference and checking 
algorithms, which have been implemented in a prototype theory-independent 
checker, allowing them to be used in practice with multiple theories. This im- 
plementation is described in detail in an accompanying experience report [22]. 


Plan of the paper We start in Section 2 by giving our general definition of type 
theories. We then move to Section 3, in which we give the declarative type system 
and show it satisfies nice properties. Section 4 then gives the bidirectional type 
system and its proof of equivalence with the declarative one. In Section 5 we show 
various examples of theories which are instances of our framework. We finish by 
discussing related work in Section 6 and then we conclude with Section 7. 


2 General type theories 


In this section, we give a general definition of type theories (or equivalently, a log- 
ical framework) for which we will give declarative and bidirectional type systems 
in later sections. Our definition is inspired by recent proposals of general defini- 
tions of type theories [29,45] and by the logical framework literature [27,8,26,40]. 
Our definition however crucially departs from these works by allowing for unan- 
notated syntaxes and by exploring the constructor/destructor symmetries of 
symbols and rules in type theories. 

We start the section by defining the raw syntax of our theories. Then, after 
defining patterns and substitution, we give one of the central definitions of our 
work: the one of theory. We finish the section by describing the rewrite judgment 
used to specify the definitional equality of our type theories. 


2.1 Raw Syntax 


Scopes and signatures The basic ingredients of our raw expressions are variables, 
metavariables and symbols. These are specified by scopes and signatures, which 


we define by the following grammars. 
Scope |> y, ô =- | y, x 
MScope | 5 6,€ ::=- | 0, x{o} 
Sig |S Yi=- | £, c(0) | È, d() 


Let us go through the definition. A (variable) scope y is simply a list of 
variables, whereas a metavariable scope @ is a list of metavariables, each being 
accompanied by a variable scope 6 explaining the arguments each metavariable 
expects. A signature x then assigns a metavariable scope 8 to each symbol, also 
explaining the arguments it expects. 

We see that, from the start, we split symbols in two classes: constructors c 
and destructors d. This separation will be justified by the fact that each of these 
two classes will play a different role in our theories: destructors are the source of 
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computation and are bidirectionally typed in mode infer, whereas constructors 
are the results of computations and are bidirectionally typed in mode check. 

In the following, we write y. and 6.é for scope concatenation, and we write 
constructor names in blue and destructor names in orange. 


Example 1. The following signature Xan defines the raw syntax of a minimalistic 
Martin-L6f Type Theory (MLTT) with only dependent functions. 


Ty, Tm(A), II(A, B{x}), A(t{x}), @(u) (Zan) 


The entry for @ might seem a bit strange since application usually takes two 
arguments, t and u. As we will see, destructors automatically take an extra 
argument, so we do not need to specify one for t. The reason for including 
symbols Ty and Tm will also become clear later. 


Terms and spines Given a fixed signature È, we then define the terms, (variable) 
substitutions and metavariable substitutions by the following grammars. 


Tméy/a t,u,T,U :=|x ifxey 
x{f € Sub 5} if x{o} € 6 
c(t Sub 8 y €) ifc(é) EÈ 
d(t y;t Sub ë) if d(&) E È 

Sub@y ô|> T,ū,5,V :=]|E if ô=. 
u € Sub @ y 0’,t « if 6 =6',x 

MSub 0 y |> t,u,s,v :=|€ ifé=. 

u ub 8 y E, Xo.t I 6 if €=&',x{d} 


We go through the definition step by step. First, we elect an intrinsically- 
scoped presentation of syntax, so the definitions of terms, substitutions and 
metavariable substitutions are each indexed by a scope y and a metavariable 
scope 6, describing the variables and metavariables that can appear free. 

A term is then either a variable x, a metavariable x applied to a substitu- 
tion f, a constructor c applied to a metavariable substitution t or a destructor d 
applied to a term f and a metavariable substitution t. At the level of the syntax, 
the main difference between constructors and destructors is that the latter are 
automatically applied to a first argument, called the principal argument. Note 
also that we require each variable and metavariable to be in scope, and each 
metavariable or symbol to be applied to a substitution matching its scope of 
arguments, as specified by @ or È. 

A (variable) substitution T € Sub 0 y 6 is then either the empty substitution 
when 6 is empty, or a substitution u € Sub 0 y 6’ and a term t € Tm 0 y 
when 6 = 6’,x. Therefore, we see that the scope 6 describes the output (or the 
domain of definition) of the substitution f. Similarly, a metavariable substitution 
t € MSub 6 y £ is either empty when é is empty, or a metavariable substitution 
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u € MSub 6 y é anda term t € Tm @ y. when é = &’, x{6}. Unlike variable 
substitutions, metavariable substitutions are allowed to extend the scope of their 
arguments by binding the variables in ô, which we refer to by Xs. This is used 
for instance in the cases of 4 and II in the following example. 


Example 2. The terms defined by the signature Łan are given by the following 
grammar, where we omit the scope requirements for variables and metavariables. 


t,u, A,B ::= x | x{f} | Ty | Tm(A) | A(x.t) | (A, x.B) | @(t; u) 


In the following, given a metavariable substitution t € MSub 6 y é and 
x{d} € é, we write tx E€ Tm 6 y.6 for the term in t at the position pointed by x. 
Similarly, given a substitution f € Sub 6 y ô and x € 6, we write ty € Tm 8 y for 
the term in f at the position pointed by x. 


Contexts Given a fixed signature X, we define (variable) contexts and metavari- 
able contexts by the following grammars. 


Ctx0 yə T,A:=.|reCt y, x:T« 


MCtx 0l> ©O,8:=-|0 ( ,xX{f E ¢ O| (QJ: T 


These are specified mutually with the underlying scopes |I| of F and |O] of 0, 
defined by the following clauses. 


|_|: Ctx 6 y > Scope |_|: MCtx 6 — MScope 
BES [Jefe 
ix 7] :=|C|,x |O, x{A} : T| := |O], x{|Al} 


A context T € Ctx y @ is either empty, or composed by a context I” € Ctx y 0 
and a variable x with a term T € Tm 0 y.|I”|. The first important thing to note 
is that the term T does not live in scope y, but in the extension of y with the 
underlying scope of I’, meaning that each entry in the context has access to the 
previously declared variables. Second, like in other frameworks [45], terms can 
also play the role of judgments, as illustrated by the following example. 


Example 3. In MLTT we have two judgment forms: O type for classifying types, 
and O : A for classifying terms. In our framework, these are represented by the 
constructors Ty and Tm. For instance, the context A type,x : A, y : (IIz : A.A) 
of MLTT is represented in our framework as 


A: Ty,x:Tm(A), y : Tm(II(A, z.A)) 


which is syntactically well-formed in the signature Xj. We can also write some 
strange contexts like x : A(z.z), y : x, which will be eliminated later by typing. 


The case of a metavariable context © € MCtx @ is similar. We have either © 
empty or © = ©’, x{A} : T, where A has access to metavariables in 6 and ©, and 
T has moreover access to the variables in A. 
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Notation 1. We finish this subsection by establishing some notations. 


— We write e € Expr 6 y as an informal abbreviation for any of the following: 
e c Tm 0 y or e € Sub 8 y ô or e € MSub 9 y é or e € Ctx Oy. 

— If the underlying signature is not clear from the context, we write Tmz, 
Subs, MSubs, Ctxs, MCtxy in order to make it explicit. 

— We write Ctx 6 for Ctx 6 (-), Ctx for Ctx (-) (-) and MCtx for MCtx (-). 


Remark 1. Because we work with a nameful syntax, we allow ourselves to im- 
plicitly weaken expressions: if e € Expr 0 y and @ is a subsequence of 6’ and y 
is a subsequence of y’ then we also have e € Expr 6’ y’. Nevertheless, we expect 
that our proofs can be formally carried out using de Bruijn indices, by properly 
inserting weakenings whenever needed, and showing all the associated lemmata. 


2.2 Substitution 


Before defining the application of a substitution to a term, we first need to 
define the identity substitutions, by the following clauses. Note that, while the 
identity variable substitution id, is just the list of variables from y, the identity 
metavariable substitution idg needs to eta-expand each metavariable x{6} € 0 to 
X5.x{ids} in order for the result to be a valid metavariable substitution. In the 
following, we sometimes abuse notation and write idr for idir) and ide for idjgy. 


id_: (y € Scope) > Sub (-) y y id_: (8 € MScope) — MSub @ (-) 0 
idi.) := € id() := € 
idy, x = idy,x ido x{y} = idg,X,.x{idy} 


We can now define in Figure 1 the application of a substitution to an ex- 
pression. Given a variable substitution Ý € Sub 0 yı y2 its application to an 
expression e € Expr 0 y2 gives e[v] € Expr 0 yı, and given a metavariable 
substitution v € MSub 6; 6 @2 its application to an expression e € Expr 69 y 
gives e[v] € Expr 6, 6.y. The main case of the definition is when we substitute 
v e MSub 6; 6 62 in the term x{f} € Tm 83 y. If x{yx} € 82, then by recursively 
substituting v in f € Sub @2 y yx we get T[v] € Sub 6; 5.y yx. We moreover have 
vx € Tm 6; ô.yx, so by substituting the variables in yx by f[v] and the ones in 
ô by ids we get v,[ids,f[v]] € Tm 6, 6.y as the final result. 


Example 4. If t € Tm (-) (y,x) and u € Tm (-) y, then by applying x.t,u € 
MSub (-) y (t{x},u) to Q(A(x.t{x});u) € Tm (t{x},u) (-) we get the term 
@(A(x.t);u) € Tm (-) y. Note in particular that, compared to frameworks derived 
from contextual modal type theory [37], our metavariable substitutions are not 
required to be closed and can introduce new variables in the scope of the result- 
ing term. For instance, while the inital term Q(A(x.t{x});u) lives in an empty 
variable scope, the resulting term @(A(x.t);u) lives in the variable scope y. 


Substitution application satisfies all the expected laws, such as e[v][u] = 
e[v[u]], elid,] =e and idg[v] = v — we refer to the technical report [24] for a 
detailed account of these properties, and for the full definition of substitution. 
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_[_]: Tm 8 y2 > Sub 6 yı y2 _[_]: Tm 62 y > MSub 6] 6 62 
> Tm y > Tm 61 6.y 

x[V] := vx x[v] :=x 

x{7}[¥] := x{7[¥]} x{?}[v] := vxlids, flv] 

e(t)[¥] := e(t[¥]) c(t)[v] := a [vI 

d(t;u)[¥] := d(t[¥]; u[¥]) d(t; u)[v] := d(t[v]; u[v]) 


Fig. 1. Application of a variable or metavariable substitution (excerpt) 


2.3 Patterns 


There will be a need to isolate a special class of expressions that will be shown 
later to support decidable and unitary matching. This will be needed both to 
define the rewrite rules of our theories and to determine when omitted arguments 
can be recovered. For this, given a fixed signature ÈX, we define the term patterns 
and metavariable substitution patterns by the following grammars. 


Tm? 0y > t,u ::= | xf{idy} if 0 = x{y} 
| c(t Sub’ 0 y £) if c(é) € = 
MSub? 6 y élat,us=|e if€=- and 6=- 
| t€ MSub? 6, y £’,X%5.t€ Tm" j if é = &’, x{o} 
and 6 = 01.62 


As we can see, the only symbols that are allowed to appear in patterns are 
constructors. This will be essential later to ensure that patterns do not only 
support syntactic matching, but also matching modulo rewriting. Moreover, our 
patterns are linear, and so each metavariable in scope occurs exactly once. Fi- 
nally, our patterns are fully-applied, meaning that each metavariable occurrence 
is fully applied to all variables in scope. 


Example 5. In the signature Xan we can build the pattern 
Tm(II(A, x.B{x})) € Tm? (A, B{x}) () 


We have the inclusions Tm? 6 y c Tm 6 y and MSub? 6 y £ c MSub @ y £, 
which we use to implicitly coerce patterns into regular expressions when needed. 


2.4 Theories 


We now come to a central definition in our work, that of a theory T. We define 
inductively how a theory is built, simultaneously with its underlying signature |T| 
— technically, our definition is by small induction-recursion. The base case covers 
the empty theory T = (-), so assuming now a theory T is given we can extend 
it with two types of entries: schematic typing rules and rewrite rules. We start 
with the first, which come in three kinds: sort, constructor and destructor rules. 
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Sort rules In our framework, a sort T is a term that can appear to the right 
of a colon.' As hinted in Example 3, and following [13,45,44], sorts are used to 
specify the judgment forms of a theory. For instance, the two judgment forms of 
MLTT "o type" and "O : A" are defined by the following. 


FA: Ty 
+ Ty sort + T'm(A) sort 
Formally, a sort rule is of the form 
c(B Ee MC ) sort 


and the previously shown rules are just an informal notation for Ty(-) sort and 
Tm(A : Ty) sort. In the following, we will make use of such informal represen- 
tations in order to enhance readability of schematic rules. Note also that the 
premises (e.g. H A: Ty) correspond to entries in the metavariable context of the 
rule, and henceforth we will use these two points of view interchangeably. 


Constructor rules Like most works in bidirectional typing [35,19,1,16], our frame- 
work imposes that constructors are to be bidirectionally typed in mode check, 
and thus the sort of the conclusion can be used to recover arguments which are 
not recorded in the syntax. To capture this, premises are split into two metavari- 
able contexts 3; and 22, where €; is erased and #9 is stored in the term. The sort 
T is then required to be a pattern containing the metavariables of 3), leading to 
constructor rules of the following form. 


ies) 


c(By € MCtx)7); 


Two examples of constructor rules are the ones for II and 2 — note however 
T 


that the one for II is slightly degenerate, given that we have =, =- and thus no 
erased premises. 


FA: Ty x: Tm(A) + B : Ty 
FA: Ty x: Tm(A) +B : Ty x: Tm(A) + t : Tm(B{x}) 
+ II (A,B) : Ty A(t) : Tm(II (A, x.B{x})) 


These are just informal notations for I(-; A: Ty,B{x : Tm(A)} : Ty) : Ty 
and A(A: Ty,B{x : Tm(A)} : Ty; t{x : Tm(A)} : Tm(B{x})) : Tm(II(A, x.B{x})). 


Destructor rules As for constructor rules, in destructor rules premises are also 
separated into erased ©, and non-erased €> parts. However, unlike constructors, 
destructors are bidirectionally typed in inference mode. In this case, the erased 
arguments in ©, are not to be recovered from the sort of the conclusion, but 
instead by inferring the sort of the principal argument which is required to be 


! We avoid calling them "types" to prevent a name clash with the types of the theories 
we define. Still, we allow ourselves to say "t is typed by sort T" to mean t : T. 
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a pattern containing the metavariables of &,. The destructor rules are therefore 
of the following form. 


d(Sy Ct >x:T ni. -); 


ies] 
N 
—" 


The main example of destructor rule is the application rule 


FA: Ty x: Tm(A) +B : Ty H t: Tm(II(A, x.B{x})) Hu: Tm(A) 
+ Q(t;u) : Tm(B{u}) 


which is just an informal notation for 
Q(A : Ty,B{x : Tm(A)} : Ty; t : Tm(II(A, x.B{x})); u : Tm(A)) : Tm(B{u}) 


Rewrite rules Finally, the last type of rules are rewrite rules, which allow us 
to specify the definitional equality (also known as conversion) of the theory. As 
suggested by our constructor /destructor separation of symbols, the left-hand 
side of rewrite rules are to be headed by destructors. Moreover, to ensure the 
decidability of rewriting, we also ask both arguments ¢ and u of the left hand side 
d(t; u) to be patterns. The right-hand side of the rule is then a term containing 
only the metavariables introduced by ż and u. The rewrite rules are hence of the 
following form, where d(é) € |T|. 


6138) tH d(t E Tm), 6; (-);u b ()é)rer 


We shall also ask for a supplementary condition: in order to extend a theory T 
with a rule 4); 62 I- L —> r, there can be no rule 6/; 65  l’ ->r’ in T such that 
we have /[v] = l’[v’] for some v and v’. As discussed in the next subsection, 
this will ensure that the rewrite system is confluent by construction. 

The prototypical example of a rewrite rule is the computation rule for func- 


tions: the -rule from the A-calculus. 
t{x};u lk Q(A(x.t{x});u) RH tf{u} 


In the following we allow ourselves to omit the metavariable scopes 61; 62 as 
these can be easily reconstructed by inspecting the rewrite rule’s left hand side. 


Underlying signature Finally, the recursive definition of the underlying signature 
of a theory is given by the following clauses, where we write Thy for the set of 
theories. As we can see, in both constructor and destructor rules the metavariable 
context of erased premises ©, is omitted from the syntax. Moreover, rewrite rules 
are simply ignored when computing the underlying signature. 


|_|: Thy > Sig IT, c(B1; 82) : U| := |T], e(|E21) 
| «|= |T, d(S1;x : T; 22) : U| := |T], d(|22]) 
IT, c(E) sort| := |T], c(|E]) IT, 01; 09 t d(t;u) —> r| := |T] 
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Example 6. By putting together all of the rules previously seen in this subsec- 
tion, we get the following theory Tan defining a basic version of MLTT with only 
dependent functions. 


Ty(-) sort, Tm(A: Ty) sort, II(-; A: Ty, B{x: Tm(A)}: Ty): Ty, (Tan) 
A(A: Ty, B{x : Tm(A)} : Ty; t{x : Tm(A)} : Tm(B{x})) : Tm (II (A, x.B{x})), 
Q@(A: Ty, B{x : Tm(A)} : Ty; t: Tm(II(A,x.B{x})); u: Tm(A)) : Tm(B{u}), 
@Q(4A(x.t{x});u) RH t{u} 


When computing its underlying signature |Tan| we get the signature Xan. 


2.5 Rewriting 


The rewrite rules of a theory T are used to define the rewrite relation e — e’ for 
expressions e, e’ € Expr 6 y, which is given by the context closure of the following 
rule — see the technical report [24] for the full definition. 

(01; 02 t d(t;u) Hor) ET vı E€ MSub 6 y 6; v2 E€ MSub 0 y 62 


d(t[vı]; u[v2]) — r[vi, v2] 


The relations — +, —>* and = are then defined as usual, respectively as the 
transitive, reflexive-transitive and reflexive-symmetric-transitive closures of —. 
The relation = is called the definitional equality (or conversion) of the theory. 

Rewriting satisfies the key property of being stable under substitution: if 
e —* e’ and vy —* V then e[v] —* e’[v’], and if e —>* e’ and v —* v’ 
then e[v] —* e’[v’]. This implies in particular that definitional equality is also 
stable under substitution. 

Finally, recall that when defining theories we asked that no two different left- 
hand sides should unify. Because this is the only way two rule can overlap, this 
means that there are no critical pairs [11]. Therefore, because rules are also all 
left-linear, it follows that the rewrite system of any theory is orthogonal, hence 
confluent by [34, Theorem 6.11]. 


’ such 


Proposition 1 (Confluence). If e’ *— e —* e” then there is some e” 
that e’ —* e” *— e”. In particular, this implies that whenever e = e’ then we 


have e —* e” *—e’ for some e”. 


Notation 2. Whenever the underlying theory is not clear from the context we 


* and —>* and =r to make it explicit. 


write —>r and —>} ha 


3 Declarative type system 


In the previous section we have given a general definition of type theories. As 
explained in the introduction, each theory also defines a declarative type system, 
which can be seen as the platonic type system, and a bidirectional type system, 
which is the one that can be algorithmically used in practice. 
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In this section we introduce the declarative type system. This system is then 
used to define the valid theories, a class of theories which are well-behaved. We 
then conclude the section by showing that the declarative system satisfies nice 
properties, and in particular satisfies subject reduction when the theory is valid. 


3.1 Declarative typing rules 


Given a fixed theory T, the declarative type system is defined by the rules in 
Figure 2. The system is split in 6 judgments: 


© + : Well-formedness of metavariable context ©. 

— ©;T + : Well-formedness of variable context I under metavariable context ©. 
— ©; + T sort : Well-formedness of sort T under contexts 0;T. 

— ©; +t:T : Typing of a term t by T under context 0;T. 

@; +f: A: Typing of a variable substitution f by A under context @;T. 

— ©; +t: 8: Typing of a metavariable substitution t by & under context 0;T. 


The most important rules are the ones which instantiate schematic typing 
rules: CONS, DEST and SORT. For instance, in order to use DEST to type d(t; u) 
a metavariable substitution t not stored in the syntax must be "guessed", and 
then we must show that t,t, u is typed by =1.(x : T).=2. The rules for typing a 
metavariable substitution can then be applied, which has the effect of unfolding 
the judgment t,t,u : &).(x : T).E2 into regular term typing judgments. At the 
end of this unfolding process, the resulting "big-step derivation" has basically 
the same shape as the schematic typing rule for d, and it can be understood as 
its instantiation. Let us look at a concrete example of this. 


Example 7. Suppose we want to show that Q@(t;u) is well-typed in the the- 
ory Tan. Because @ is a destructor symbol with schematic rule 


Q@(A: Ty, B{x : Tm(A)} : Ty; t : Tm(II(A, x.B{x})); u : Tm(A)) : Tm(B{u}) 
by guessing some A and B we can start the derivation with rule DEST, giving 
O;T + A,x.B,t,u: (A: Ty, B{x : Tm(A)} : Ty, t: Tm(II(A, x.B{x})), u : Tm(A)) 

O;T + Q(t; u) : Tm(B{u})[A, x.B, ft, u] 


If we note that Tm(B{u})[A,x.B,t,u] = Tm(B[idy, u]), and we continue by ap- 
plying the rules defining the judgment ©;I + t : E, we get 


O; +r O;r +A: Ty ©;T,x : Tm(A) + B: Ty 
©; +r: Tm(II(A,x.B)) 0;C tu: Tm(A) 
O;T + Q(t; u) : Tm(Blidp, u]) 


which can be understood as the instantiation of the schematic rule for @. This 
also corresponds to the usual application rule of MLTT, as the first 3 premises 
can be shown admissible by inversion of typing and the results of Subsection 3.3. 
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Or (@€ MCtx) 


©; (®© e MCtx; F e Ctx |O]) 
EXTMCTX EMPTYCTX EXTCTX 
EmPTYMCOTX 0;T+ T sort Or 0;T + T sort 
-H O,x{T}:Tr O;-+ O;T,x:T+H 
0;T + T sort 


(© e MCtx; T € Ctx |O]; T € Tm |O] |T|) 


SORT 
OTt: 


c() sort e T——_____ 
©O;T + c(t) sort 


O;rt:T (© e€ MCtx; F e€ Ctx |O|; Te Tm |O] |C]; ż€ Tm |O] IT) 
Cons VAR 
O;Crt,u: 21.22 O;T + 
c(S1; 22) : TET ————— x:Ter 
©;T + c(u):T[t] O;Crx:T 
DEST MVAR 
O;T + t,t, u : 21.(x : T).E2 O;rrr:A 
d(]1;x:T;52):UeT x{A}:TeE®O@ 
O;T + d(t;u) : U[t,t, u] O; r+ x{7} :T 
Conv 
E O; T Ht:T 0;T + U sort 
~ O;lrr:U 
@;Prf:A (@€ MCtx; T e Ctx |O]; A € Ctx |O|; f€ Sub |O| |C] |A) 
EMPTYSUB EXTSUB x 
O; r+ O;Crr:A ©;T +t:T[t] 
O;Tre:() @;C + t,t: (A,x:T) 
O;Fet:=& (Oe MCtx; F e Ctx |O|; Be MCtx; t € MSub || |L] |E) 
EMPTYMSUB ExTMSUB 
0; + OTt: 0;T.A[t] ++: T[t] 
O;[ re: (-) 


O; + t,xX,.t: (E, x{A} : T) 


Fig. 2. Declarative typing rules 
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Notation 3. We finish this subsection by establishing some notations. 
1. We write ©;I + J for any of the following: O©;r + or ©;r + T sort or 
@;F+t:Tor@;F+f:AorO@;Ftt:F. 
2. We write T> ©; + J when T is not clear from the context. 
3. We write O+ J for O;-+ J and r+ J for ;T+ T. 


3.2 Valid theories 


Our definition of theories given in Subsection 2.4 is a bit too permissive, and we 
would like to isolate a class of theories for which we can show nicer properties. 
These are the valid theories, defined by the following inference rules. 


T valid TeX, + T sort Toe 21.22 H 
- valid T, c(21; 2) : T valid 
T valid T> T valid T> &1.(x : U).=E2 H T sort 
T, c(€) sort valid T, d(€1;x : U; E2) : T valid 


T valid d(21;x: U;22):VET for some O1, ©2 with |@O1] = 61, |O2| = 62 : 
T > =1.01.02 H (idg,,¢, u) : E1.(x : U).E2 T» £1.01.02 Hr: V[idz,,ż,u] 


T, 01; @2 Ik d(t; u) H> r valid 


Intuitively, the definition of valid theories ensures that each time we extend a 
theory T with a schematic typing or rewrite rule, T can justify that the extension 
is well-behaved. For sort rules c(€) sort this means ensuring that the metavariable 
context = is well-formed in T, and for destructor rules d(&,;x : U; E2) : T this 
means ensuring that T is a well-formed sort in metavariable context 81.(x : U).%» 
and in the theory T. The rule for a constructor c(]1; 22) : T does not only ask 
&).22 to be a well-formed metavariable context, but also for the term T to be a 
well-formed sort for =; — recall that T can only contain metavariables from 4}. 

The most complicated case is for a rewrite rule 61;62 I d(t;u) — r, in 
which we must find metavariable contexts ©1, ©2 with |O,| = 6; and |©2| = 62 
allowing to type idg,,f,u and r. This technical condition is essential to prove 
subject reduction of our valid theories (Theorem 1). 

Example 8. It is tedious but uncomplicated to see that the theory Tan is valid. 
The most interesting part of the proof is when we add the f-rule 


t{x};u tk Q(A(x.t{x});u) RH tf{u} 
If we write T’ for the part of Tan preceding this declaration, and (for space 
reasons) we abbreviate (A: Ty, B{x : Tm(A)} : Ty) as Og, we have to show 
T > ©aB.01.02 H (A, x.B{x}, A(x.t{x}), u) : Ogg.(t : Tm(II(A, x.B{x})), u : Tm(A)) 
and 

T > Oas-01.02 + t{u} : Tm(B{u}) 


which can both be easily shown if we chose ©; = t{x : Tm(A)} : Tm(B{x}) and 
©, =u: Tm(A), which indeed satisfy |O,;| = t{x} and |O2] = u. 
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3.3 Basic metaproperties 

We now show some basic metaproperties satisfied by the declarative type system. 
The assumption that the theory is valid is not necessary for all results, and will be 


stated explicitly when needed. We give proof sketches for some of the properties, 
and refer to the technical report [24] for the proofs. 


Proposition 2 (Contexts are well-formed). The following rules are admis- 
sible. 
Ort TS Ort TS 
O; T+ Or 


Proposition 3 (Weakening). Let us write T E A if T is a subsequence of A, 
and OCE if © is a subsequence of E. The following rules are admissible. 


O; + O;Atr O;T+ Ber 
reoA— al pan n 
O;At IJ Zr- Ff 


In order to state the substitution property, given ©; A + J we define the 
notations (0; A+ J)[¥] and (0; A+ J)[v] by the following table. 


O;Atr T (O;At F)[V¥] (O;At J)[v] 

where ©; FV: A where E;T tv:0 
O;Atr O; +H E T.A[v] + 
©;A +T sort O;T + T[¥] sort E; T.A[v] + T[v] sort 
0O;Att:T O;T + ¢t[v] : TE] =; T.A[v] + t]v] : T[v] 
@;Art: A’ O;T + 7[¥] : A’ 2; T.A[v] + idr, f[v] : T.A [v] 
O; Akt: 2 O; T +t]: 2 E: T.A[v] + t[v]: = 


Proposition 4 (Substitution property). The following rules are admissible. 
O; THY:A O; ALT &rrv:0 O; ALT 
(©;r + F)[¥] (0; A+ J)[v] 


Proof. We illustrate the main case of the second statement’s proof, which is by 
induction on ©; A + J. Suppose the derivation ends with the rule MVAR. 


(}:Tee @;Art: A’ 
x :T €e 0 — 
©; A + x{f} : T[f] 

By i.h. we have E; T.A[v] + idr, f[v] : C.A’ [v]. Moreover, from £;T + v : © we can 
derive 84; r.A’ [v] + vx : T[v], so by the first statement (the substitution prop- 
erty for variable substitutions) we get E;T.A[v] + vx[idr, f[v]] : T[v][idr, f[v]]. 
Because x{f}[v] = v,[idp, f[v]] and T[f][v] = T[v][idr, f[v]] we are done. 
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Proposition 5 (Sorts are well-typed). The following rule is admissible when 
the underlying theory is valid. 
O;THt:T 
O;T +T sort 
Proof. By case analysis on ©;[ + ¢ : T, and using Proposition 4. For rules 


Cons and DEST we use the validity of the theory to deduce ©, + T sort from 
c(21;22) : T € T and &).(x: T).=2 + U sort from d(21;x :T;_):U ET. 


Proposition 6 (Conversion in context). The following rule is admissible. 


OTET O; AF 
O;A T 


3.4 Subject reduction 


A key property that all of our valid theories satisfy is subject reduction. Aside 
from ensuring that well-typed programs cannot go wrong, this property will be 
vital to establish the soundness of the bidirectional type system. 

In order to show subject reduction, we first need to prove some important 
properties of patterns. The first of them is injectivity with respect to conversion. 


Lemma 1 (Injectivity of patterns). Ift € Tm? 0 y and t[v] = t[v’] for 
some v € MSub @’ 6 0 and v’ € MSub @’ 6 0 then v = v’. 


Proof. By induction on the pattern, generalizing the statement also to metavari- 
able substitution patterns. The key step is in case c(t[v]) = c(t[v’]) in which we 
crucially rely on Proposition 1 to get t[v] = t[v’] and invoke the i-h. to conclude. 


Given a well-typed term t such that the result of substituting v in ¢ is also 
well-typed, generally we cannot conclude that the metavariable substitution v is 
well-typed. This reasoning is however valid when f is a pattern, as shown by the 
following result. Differently from the previous lemma, its proof is more intricate 
so instead of trying to give a proof sketch we refer to the technical report [24]. 


Proposition 7 (Inversion of pattern typing). Let v € MSub (-) JA] [O]. 


— Ifte Tm? |O| (-) and Or t:T and A" t[v] : T[v] thenAtv:® 

— IfT € Tm? || () and ©+T sort and At T[v] sort then Atv: © 

— Ift € MSub? |] () |E] and O+ t: 2 and At t[v] := then At v:@ 
We are now ready to show subject reduction. 


Theorem 1 (Subject reduction). Suppose that the underlying theory is valid. 


— IfT +T sort and T —>T’ then T + T’ sort 
— fT Ht:T andt—t' thenT Hť:T 
— IfTHt:E andĒr andt — t' thenT +t’: & 
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Proof. By induction on the rewrite judgment. We show only the main case: 
61;09 I- d(t;u) hor vi € MSub (-) |F| 41 v2 E€ MSub (-) |I] 82 
d(t[vı]; ulv2]) —> r[v1, v2] 


Let d(&,;x : U; E2) : V € T be the rule for d in T. Because T is valid, there are 
0, and O2 with |O;| = 04 and 1O02] = 02 such that 


21.01.02 + (ids, ,t, u) : E1.(x : U).Eə and 21.01.02 Fr: V[idz,,t, ul 
By inversion on T+ d(t[v,]; u[ve2]) : T we get 


Tr Vo, t[vi], u[və] : 21.(x : U).Eə 
T + d(t[vı]; u[v2]) : Vivo. t[vı], u[v2]] 
T + d(t|vi]; u[v2]): T 


Therefore, we have I + (idg,,t,u)[vVo,vi,v2] : =1.(x : U).E2, and because 
idz,,t,u € MSub? |21.01.02| (-) |E1.(x : U).E2|, then by Proposition 7 we 
get IT F Vo, V1, V2 : 21.01.02. By applying Proposition 4 with 21.01.02 + r : 
Viids,,t,u] we get [+ r[vo, v1, v2] : V[ide,,t,u][vo, vi, v2]. Finally, we have 
Tr + T sort by Proposition 5 applied to F + d(t[vı];u[v2]) : T, and because 
r[Vo,V1,V2] = r[vı, v2] and V[idz,,t, u][vo, v1, v2] = V[vo, t[vı], u[v2]] = T 


then by the conversion rule we conclude F + r[vi, v2] : T. 


4 Bidirectional type system 


In the previous section we have defined the declarative type system. We now 
move to the bidirectional type system. We start the section by discussing the 
problem of matching modulo, which is needed for recovering missing arguments. 
We then introduce the inferable and checkable terms, for which the bidirectional 
system is defined. We then give the bidirectional typing rules and prove they are 
sound and complete with respect to the declarative type system. Finally, we use 
this equivalence to deduce some important properties of the declarative system. 


4.1 Matching modulo rewriting 


Suppose we want to type Q(t; u) by first inferring the sort of t, yielding T. We 
know that the sort of the principal argument in the rule for @ is the pattern 
Tm(II(A, x.B{x})), so we could hope to recover A and B by matching T against 
this pattern. However, because of the conversion rule, in dependent type theories 
we cannot expect T to be syntactically equal to an instance of this pattern, but 
only convertible to it. Therefore, our goal is instead to find A and B satisfying 
Tm(II(A, x.B{x}))[A,x.B] = T. This shows that the process of recovering missing 
arguments in bidirectional typing is actually an instance of matching modulo 
rewriting — a connection that seems not to have been noted before in the lit- 
erature. This also explains why we were careful in Subsection 2.4 to require the 
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sort of a constructor rule and the sort of the principle argument of a destructor 
rule to be patterns, as they need to support decidable and unitary matching. 
In order to explain how to solve matching modulo problems, let us first recall 
some concepts about rewriting theory. A (functional) strategy © [11] is defined 
by a subrelation —>s¢—>* which has the same normal forms as — and is 
functional in the sense that t —>6 u and t —6 u2 imply uı = u2. Let m/o be 
the maximal outermost strategy, which contracts all outermost redexes in one 
step, and write t ah Jo c(u) if c(u) is the first term headed by a constructor to 


m/o` 

We can now define in Figure 3 an inference system for matching modulo 
rewriting, which given a pattern ż and a term u tries to compute a metavariable 
substitution v such that t[v] = u. Note that the use of a specific rewriting 


strategy is necessary to ensure the functionality of the inference system. 


which t reduces by — 


t<u~v (teTm? 0y; we Tm (.) 6.y; ve MSub (-) 6 8) 


Rigid 
t<urvv Flex< 
myo c(t)<u~ v xfidy} < u ~œ Xy.u 


t<u~v (teMSub? 6 y é; ue MSub (-) ô.y é; v € Sub (-) 6 8) 


ExtMSub< 
EmptyMSub< t<u~ vi t< u~ v2 
ELEVE t,X.t < U, X.U ~œ V1, V2 


Fig. 3. Inference system for matching modulo 


Let us now establish the correctness of this inference system in three steps. 
We first show its soundness, which follows by an easy induction on the derivation. 


Proposition 8 (Soundness of matching). 


— Ift< u~ v then u —* t[v]. 
— Ift< u~ v then u —* t[v]. 


In order to show completeness we first have to answer the following question: 
if t = c(u), are we sure that by reducing t we eventually reach a term headed 
by c? The answer would be no, had we taken for instance an innermost strategy. 
Thankfully, because the rewrite systems of our theories are both orthogonal and 
fully-extended, it follows by [39, Theorem 2] that the maximal-outermost strategy 
we are using is head-normalizing, and so we have the following property. 


Lemma 2. [fu = c(t) then u Nis c(u) with t =u. 
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Using Lemma 2, we can now show completeness by induction on the pattern. 
Proposition 9 (Completeness of matching). 


— If t{v] =u for some v € MSub (-) 6 6 then t < u ~ v’ for some v’ =v 
— Ift[v] =u for some v € MSub (-) 6 @ then t < u ~ vw’ for some v' =v 


Recall that an expression is weak normalizing if it reduces to a normal form. 
We can now show that the inference system is decidable when being used with 
weak normalizing expressions. The proof is by induction on the pattern, using 
the fact that m/o is normalizing [42, Theorem 10], so that reducing a weak 
normalizing term with m/o always terminates. 


Proposition 10 (Decidability of matching). 


— Ifu is weak normalizing, then Av. t < u ~> v is decidable for all t. 
— Ifu is weak normalizing, then Av. t < u~ v is decidable for all t. 


4.2 Inferable and checkable terms 


Before giving the bidirectional typing rules, we first have to address the problem 
that some terms without annotations cannot be algorithmically typed. Suppose 
for instance that we want to type the term @(1(x.t);u) by inferring the sort of 
the principal argument of @ to recover A and B. But because A(x.t) is headed by 
a constructor it can only be bidirectionally typed in mode check, so we are stuck. 
One could think that this limitation is specific to bidirectional typing, however a 
famous result by Dowek shows that, in a dependently-typed setting, the problem 
of typing unannotated terms is actually undecidable in its full generality [18]. 
To solve this issue, we have two options. We could proceed as in the Coa liter- 
ature [33] and add extra annotations to terms so that they can always be inferred. 
For instance, we would then need to annotate abstraction with its domain by 
writing A(A, x.t) instead of A(x.t). However, not only this solution makes the syn- 
tax heavier, but by abandoning the constructor/destructor separation in which 
constructors are always typed in mode check, it yields typing rules which are 
much less symmetric and whose form seems difficult to specify in a generic way. 
We instead take the choice made by most of the dependent bidirectional typ- 
ing literature [2,38,1,16,3,4] and define our bidirectional system only for a subset 
of expressions, the checkable and inferable terms and the checkable metavariable 
substitutions. Given a fixed signature £, they are defined as follows. 


Tmi y > tu,v:=|x ifxey 
d(t e Tm' y;t € MSub ) if d(é)€ x 
Tm y/3 t,u,v ::= | c(t € MSub é) ifc(é) ez 
t 
MSubS y é|> t,u,v:=]|€ ifé=- 
t’ — MS S ZateTm yó ifé=£’,x{o} 
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Let us go through the definition. An inferable term is either a variable or 
a destructor whose principal argument is inferable, and whose other arguments 
are given by a checkable metavariable substitution. Imposing the principal ar- 
gument to be inferable is the key restriction to rule out terms like @(A(x.f); u). 
A checkable term is then either a constructor applied to a checkable metavariable 
substitution, or an underlined inferable term. Finally, a checkable metavariable 
substitution is just a metavariable substitution containing only checkable terms. 


Example 9. The inferrable and checkable terms for the signature Xan are given 
respectively by the following grammars, where we omit the scope information. 


ti, u' n= x | @(ft; u5) 
t°, uS, AS, BS ::= Ty | Tm(A®) | T(A°, x.B) | A(x.t°) | t 


One could wonder if restricting the terms that can be algorithmically typed is 
a significant limitation. For most usual theories (like Tan and those in Section 5) 
the checkable terms coincide with the normal forms, and the inferable terms 
coincide with the neutrals. As argued in other works [38,1], users of type theory 
almost only write terms in normal form, and in the few cases writing a redex is 
more convenient, in actual implementations the principal argument can always 
be lifted to a top-level definition. Therefore, this restriction, also present in most 
of the dependent bidirectional typing literature [2,38,1,16,3,4], does not pose a 
serious limitation in practice. 

Note also that inferable and checkable terms have no metavariables. Even 
if metavariables are needed in the declarative system to be able to say which 
theories are valid, when writing terms in a fixed theory metavariables are gen- 
erally not needed, and hence they are omitted from usual presentations of type 
theories. It is therefore reasonable to leave them out of the bidirectional syntax, 
as they will be of no use for users. 

Given t € Tmt y or t € Tm! y we write "t47 € Tm (-) y for its underlying 
term, and for t € MSubS y é we also write "t7 € MSub (-) y £ for its underlying 
metavariable substitution. 


4.3 Bidirectional typing rules 


Given a theory T, we can now define its bidirectional type system by the rules 
in Figure 4. The system is split in 4 judgments: 


— I HT & sort : Checking that a checkable term T is a well-formed sort 

— [tt &T : Checking that a checkable term ¢ has sort T 

—T+t=T-: Inferring a sort T for an inferable term t 

—T|v:8+t = ©: Checking that a checkable metavariable substitution t 
can be typed by © "to the right" of v : E 


As in the declarative system, the most important rules are the one that 
instantiate the schematic typing rules: CONST, DEST and SORT. However, dif- 
ferently from the declarative system, no more guessing is needed when building 
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TrereT (TeCtx; Te Tm(-) ||; te Tms |r) 


Cons SWITCH 

T<U~rv T|v:81 H u & Eg Trers>T 
c(Sy;82):TeT T =; U— 
Ttc(u) =U Trereevu 


TtT (MeCtx; Te Tm(,) I; te Tm I) 


DEST 
TrersVv T<V~wvv y 
T | (v, 4) : (€1,x:T) u =E AR 
d(81;x:T;8):UeET K aa ) 2 x:Ter ——————— 
T+ d(t; u) > U[v, "t", "u"] Trex >T 
rT —sort (I € Ctx; Te TmS |r) 
SORT 
Tle:()+tee 
c(S) sort e T ———_____ 
T+ c(t) & sort 
T € Ctx; © € MCtx; v € MSub (-) |C] |O]; 
Tlv:O@rtes 
= e MCtx |O]; t € MSub* |I] |El] 
ExTMSvus 
pe a ota Plv:O@rtes Aly, thre T[v,"t] 
Tlv:Oree=() Tlv:Ort,xX,.t = (E, x{A} : T) 


Fig. 4. Bidirectional typing rules 


a type derivation. For instance, when using rule DEST with d(t;u) the omitted 
arguments are no longer guessed, but instead recovered by inferring the sort of 
the principal argument ¢ and then matching it against the associated pattern. 


Example 10. Suppose we want to infer a sort for Q(t;u) in the theory Tan. To 
use rule DEST, we start by inferring a sort V for t, and then we try to match 
it against the pattern Tm(II(A, x.B{x})). If matching succeeds, we recover the 
arguments A and B, which together with ¢ are then used in 


T | (A,x.B,x."t") : (A: Ty, B{x : Tm(A)}: Ty, t:...) + (u) € (u: Tm(A)) 


where we omit the sort of t for lack of space. By applying the rules that define 
the judgment F | v : © + t & Z, we see that this amounts to showing just 
T + u = Tm(A), and so the final shape of this "big-step derivation" is the 
following, which corresponds to the usual bidirectional rule for application. 


Tetr>VvV Tm(II(A, x.B{x})) < V ~œ A,x.B Tru <= Tm(A) 
[+ Q@(t;u) => Tm(B[idp, "u"]) 
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4.4 Equivalence with declarative typing 


We now establish the equivalence between the declarative and bidirectional type 
systems. This is done in two steps, the first one being soundness: 


Theorem 2 (Soundness). Suppose that the underlying theory T is valid. 


1. fT + andr Ht=>T then "t: T 

2. fT +T sort and I t &T then H't): T 

3. fT + andr HT & sort then D+ "T? sort 

4. JT Hv: 8, and 21.82 H andT |v: 21 Ht & So then I + v,"t' : 21.22. 


Proof. By induction on the derivation. We illustrate one of the interesting cases. 
T<U~xv T|v:% Fu 


2i;32):T¢eT 
ee Tree =U 


By Proposition 8 we have U —>* T[v], so because we have I + U sort then by 
Theorem 1 we get T + T[v] sort. We have T € Tm? || (-), and validity of the 
theory also gives ©; + T sort, therefore by Proposition 7 we get [+ v : 21. By 
validity of the theory we also have £1.2 +, therefore by applying the i.h. to the 
second premise we get [+ v, "u? : 21.22. We can then derive [+ c("u') : T[v], 


and because T[v] = U and I+ U sort, by conversion we conclude F + c("u'): U. 


Completeness then asserts that checkable/inferable terms typable in the 
declarative system can also be typed in the bidirectional system. 


Theorem 3 (Completeness). Suppose that the underlying theory T is valid. 


1. Ift is inferable and + 't':T thenT +t =T with T =T 

2. Ift is checkable and T + 't':T then we have +t =T 

3. If T is checkable and + 'T" sort then + T & sort 

4. Ift is checkable and T +t v,'t': O.E then we have |v: Ortea 


Proof. The proof requires us to strengthen the statement, so the two occurrences 
of the context I in points 1-4, of the sort T in point 2 and of the substitution 
v in point 4 are not required to be syntactically equal, but only convertible (see 
the technical report [24] for the exact statement). The proof is then by induction 
on the checkable/inferable term or checkable substitution. 

We illustrate the case t = d(u;t), in which we have to show that for all T’ = T 
we have some T’ =T such that I” + t = T’. By inversion on [+ "t': T we have 


Tiv,'u',"t': &).(x: U).E2 
T+ d(Tu?;"t?) : V[v, "u", "t7] 
Ted('u';'t'):T 
Let I” =T. From F + v,"u”, "t? : 3).(x : U). we get P+ Tu? : U[v], so 
because u is inferrable, by the i.h. we obtain that for some U’ = U[v] we have 
I’ + u = U’. By Proposition 9 we then get U < U’ ~ v’ with v = v’. Then, 
because t is checkable and F = I” and v,"u' = v’,"u"', by the i.h. we derive 
I” | (w’,'u") : (€1,x : U) + t & Sy. Putting all this together, we conclude 
T” + d(u;t) => V[v’, "u," t7], where we have V[v’,"u',"t'] =T as required. 


d(];x:U;82):VeT 
T =V[v,"u',"t"] 
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4.5 Consequences of the equivalence 


We now explore the established equivalence in order to show two important 
properties: decidability of typing and uniqueness of sorts. 

We say that a theory T is weak normalizing if for all expressions e with 
T+esort orl +e:T orl te: we have that e is weak normalizing. 


Theorem 4 (Decidability of typing). Suppose that the underlying theory T 
is valid and weak normalizing. 


1. Ift is inferable and T+ then the statement AT. (T + "t' : T) is decidable. 

2. Ift is checkable and T +T sort then the statement [+ 't':T is decidable. 

3. If T is checkable and T + then the statement [+ "T" sort is decidable. 

4. Ift is checkable and @.4+ and + v: © then the statement Tt v,"t': 0.8 
is decidable. 


Proof. We first show the corresponding statement for the bidirectional system, 
using Proposition 10, Theorem 2 and the decidability of conversion for well-typed 
terms (which follows from weak normalization). By Theorems 2 and 3 we can 
then conclude. We refer to the technical report [24] for the proof. 


We now move to uniqueness of sorts. First note that, because our terms 
are non-annotated, uniqueness of sorts does not hold in general: for instance, 
A(x.x) can be typed by Tm(II(A,x.A)) in context T for any A with + A: Ty. 
Nevertheless, we can still show uniqueness of sorts for inferable terms: 


Theorem 5 (Uniqueness of sorts). Suppose that the underlying theory T is 
valid. If t is inferable and T+ 't':T andr H"t':U thenT =U. 


Proof. By Theorem 3 we get [ + t = T’ with T = T’ from T+ "t' : T and 
T +t = U’ with U =U’ from T+ 't': U. We can show type inference to be 
functional, so we get T’ = U’ and thus T = U. 


5 More examples 


In the previous sections we have illustrated our framework with the theory Tan, 
defining a basic Martin-Léf Type Theory with dependent products. We now show 
other examples of valid theories to showcase the generality of our framework. 
Throughout this section, we use the informal notation for schematic typing rules 
discussed in Subsection 2.4, for readability purposes. We refer to the files of the 
implementation [23] for more details. 


Lists We can define lists by extending Tan with the following. 


FA: Ty tx: Tm(A) 
FA: Ty FA: Ty + 1: Tm(List(A)) 


+ List(A) : Ty + nil : Tm(List(A)) + cons(x, 1) : Tm(List(A)) 


FA: Ty +1: Tm(List(A)) x: Tm(List(A))+P:Ty — + pnil : Tm(P{nil}) 
x: Tm(A), y : Tm(List(A)), z : Tm(P{y}) + pcons : Tm(P{cons(x, y) }) 


+ ListRec(1;P, pnil, pcons) : Tm(P{1}) 
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ListRec(nil; x.P{x}, pnil, xyz.pcons{x, y, z}) FH pnil 
List Rec(cons(x, 1); x.P{x}, pnil, xyz.pcons{x, y, z}) He 
pcons{x, 1, ListRec(1; x.P{x}, pnil, xyz.pcons{x, y, z})} 
Like one would wish, the constructors nil and cons indeed do not store the type 
annotation A, which is recovered from the sort. This annotation is also elided in 
the destructor ListRec, where it is recovered from the principal argument. 


In general, we can extend the theory with any (non-indexed) inductive type. 
For instance, see the file mltt.bitt where we add dependent sums and W types. 


Universes We can define Tarski-style universes by extending Tan with a type U 
and a decoding function mapping each inhabitant a of U into a type El(a; €). 


ta: Tm(U) 
H U: Ty + El(a;-) : Ty 


We then add a code for each type of the theory, with an associated rewriting 
rule stating that the code is decoded by El into the appropriate type. 


ta: Tm(U) x: Tm(El(a;¢)) + b : Tm(U) 
Fu: Tm(U) + (a,b) : Tm(U) 


El(u; £) -> U El(a(a, x.b{x}); £) > T(El(a; £), x-El(b{x}; €)) 


This specifies a type in type universe, which is known to be inconsistent [15]. 
This can however be easily fixed by stratifying universes into a hierarchy. By 
doing this, we can then define a Tarski-style variant of (functional) Pure Type 
Systems [9]. Alternatively, instead of using Tarski-style we can also define (weak) 
Coquand-style universes [17,30,32,6] which require replacing the sorts Ty and 
Tm by indexed families Ty; and Tm; — see the file mltt-coquand.bitt for a 
definition also featuring (weak) cumulativity and universe polymorphism. 


Higher-order logic We have seen how to extend Tan with various type formers, 
however we can also define logics. To define higher-order logic (HOL) we first de- 
clare a type of propositions and a sort rule to represent the judgment "P is true". 


+ P: Tm(Prop) 
+ Prop : Ty + Prf(P) sort 


We can then add connectors or quantifiers such as the universal quantifier Y — 
see the file hol.bitt for more details. 


FA: Ty FA: Ty x: Tm(A) + P : Tm(Prop) 
x: Tm(A) + P : Tm(Prop) x: Tm(A) + p: Prf(P) 
+ Y(A, P) : Tm(Prop) F Vin(p) : Prf(V(A, x.P{x})) 


FA: Ty x: Tm(A) + P : Tm(Prop) 
tr: Prf(V(A, x.P{x})) tt: Tm(A) 


+ Va(rst) : PPRP Vei(Vin(x.p{x}); t) —> p{t} 
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6 Related work 


Our general definition of dependent type theories draws much inspiration from 
other frameworks for type theory, such as GATs/QIITs [13,7,31], SOGATs [45], 
FTTs [29], and logical frameworks such as Dedukti [8,12] and Harper’s Equa- 
tional LF [27]. However, we differ from these works by supporting non-annotated 
syntaxes and enforcing a constructor /destructor separation of symbols and rules, 
both of which seem to be important ingredients for bidirectional typing. 

Another point of divergence from these frameworks is that most of them 
allow the use of arbitrary equations when defining the definitional equality of 
theories. However, it then becomes hard to give an implementation, as it would 
require deciding arbitrary equational theories. We instead take the approach of 
Dedukti of supporting only rewrite rules, which allows to decide the definitional 
equality of theories in a uniform manner, and makes it possible to implement our 
framework. A different approach is taken in Andromeda, an implementation of 
FTTs, where they also allow for extensionality rules [10]. They however provide 
no proof of completeness for their equality-checking algorithm. 

Our proposal also draws inspiration from the works of McBride, a main ad- 
vocate of dependent bidirectional typing. His ongoing work on a framework for 
bidirectional typing [35,36] shares many similarities with ours, for instance by 
adopting a constructor/destructor separation of rules. However, an important 
difference with our framework is that he takes the bidirectional type system as 
the definition of the theory. Therefore, there is no discussion on how to show 
soundness and completeness with respect to a declarative system, as the bidirec- 
tional one is the only type system defined in his setting. This approach differs 
from most of the literature on dependent bidirectional typing [19,2,33,1,3,4], in 
which one first defines the type theory by a "platonic" declarative type system 
and then shows it equivalent to a bidirectional system which can be implemented. 
Finally, this choice also makes the metatheoretic study of theories quite different: 
for instance, in order for the bidirectional system to satisfy subject reduction he 
is obliged to introduce type ascriptions in the syntax. 

Another work from which ours drew inspiration is the one of Reed [43], where 
he proposes a variant of the Edinburgh Logical Framework in which arguments 
can be omitted. Crucially, these arguments are not elaborated through global 
unification, but instead locally recovered by annotating each declaration with 
modes to guide a bidirectional algorithm. However, his framework does not allow 
for extending the definitional equality, meaning that one cannot define dependent 
type theories directly, but instead has to encode its derivations trees (as in [28]). 
This also means that his system does not need to deal with some complications 
that arise in our more general setting, such as matching modulo. 

Finally, concurrently to our work, Chen and Ko [14] have proposed a frame- 
work for simply-typed bidirectional typing. They also define declarative and 
bidirectional systems and establish a correspondence between them. Compared 
to our work, their restriction to simple types removes many of the complexities 
that appear in dependent type theories. For instance, while their types are first- 
order terms with no notion of computation or typing, our sorts are higher-order 
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terms considered modulo a set of rewrite rules and subject to typing judgments, 
making the process of recovering missing arguments much more intricate. They 
however formalize all their proofs in Agda. 


7 Conclusion and future work 


In this work we have given a generic account of bidirectional typing for a general 
class of dependent type theories. Our main results, Theorems 2 and 3, establish 
an equivalence between declarative and bidirectional type systems for a general 
class of theories. The underlying algorithm of Theorem 4, establishing the de- 
cidability of typing for weak normalizing theories, has been implemented in a 
prototype further described in an accompanying experience report [22]. Com- 
pared to other theory-independent typecheckers, such as Dedukti, its support 
for unannotated syntaxes should allow for better performances, which can make 
it a good candidate for cross-checking real proof libraries. 

Regarding future work, the most important omission that we would like to ad- 
dress is that of inductive families. Indeed, these do not fit our definitions because 
their constructor’s sorts either are non-linear patterns (as in the constructor for 
equality) or contain metavariables for arguments that are computationally rele- 
vant and thus cannot be omitted (as in the cons constructor for vectors). 

Moreover, even if our system builds heavily on the constructor /destructor dis- 
tinction in type theory, some few constructions do not respect this separation. For 
instance, to define Russell universes we need the rewrite rule Tm(U) — Ty [44], 
which is not valid as Tm is not a destructor. Whether there is a way of accommo- 
dating these constructions without fully abandoning the constructor /destructor 
separation is something we would like to investigate in future work. 

A long term goal is also to extend our framework to account for type-directed 
equality rules, which are needed for handling ņ-laws and definitional proof ir- 
relevance. Even if it is well known how to design complete equality checking 
algorithms for specific theories with type-directed equalities [5], doing so in a 
general setting like ours seems to be an important challenge. We could take 
inspiration from the customizable equality-checking algorithm implemented in 
Andromeda [10]. However, as mentioned in the previous section, their algorithm 
is not proven complete, so further research in this direction seems to be needed. 


Acknowledgements The author thanks Gilles Dowek, Vincent Moreau, Théo 
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Abstract. We report on the implementation of a generic bidirectional 
algorithm for dependent type theories, following the proposal of the pa- 
per "Generic bidirectional typing for dependent type theories". 


In [5] we have proposed a general definition of dependent type theories sup- 
porting bidirectional typing, and established an equivalence between their declar- 
ative and bidirectional type systems. The crucial property satisfied by the bidi- 
rectional system is its decidability for normalizing theories, which allowed for its 
implementation in OCaml in the tool BiTTs [6] which we describe here. 


1 A quick introduction to the implementation 


Let us first start with a concrete example of how to use the tool. Because the algo- 
rithm implemented is theory-independent, the first step to use it is to specify the 
theory we want to work in. This is done with the commands sort, constructor, 
destructor and rewrite which specify respectively sort, constructor, destructor 
and rewrite rules. For instance, the following declarations define the theory Tan 
given in [5, Example 6], constituting a minimalistic Martin-L6f Type Theory 
with dependent functions. 


sort Ty () 

sort Tm (A : Ty) 

constructor II () (A: Ty, B{x : Tm(A)} : Ty) : Ty 

constructor A (A : Ty, B{x : Tm(A)} : Ty) (t{x : Tm(A)} : Tm(B{x})) : TmCII(A, x. BLx})) 
destructor @ (A: Ty, B{x : Tm(A)} : Ty) (t : TmCII(A, x. B{x}))) (u : Tm(A)) : Tm(B{u}) 
rewrite Q@(A(x. t{x}), u) --> t{u} 


Once the theory is specified, we can start writing and typechecking terms 
inside it. For instance, supposing we have also added a Tarski-style universe U, 
we can check the following definition of the polymorphic identity function. 


let idU : Tm(II(U, a. I(El(a), _. El(a)))) := Ala. A(x. x)) 


To typecheck this definition, the tool first verifies that the sort given in 
the annotation is indeed well-typed, and then checks the body of the definition 
© The Author(s) 2024 
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against the sort. If all the steps succeed, the identifier is added to a global scope 
of top-level definitions and becomes available to be used in the rest of the file. 

Supposing that the underlying theory is valid, Theorem 2 of [5] ensures that, 
if the implementation says that a term is well-typed, then the term is indeed 
well-typed in the declarative type system of the theory. Note however that the 
implementation does not currently check if the supplied theory is valid. Extend- 
ing the implementation to check this automatically is future work, so for the 
time being this verification is left to the user. 

Finally, we also provide commands for evaluating terms to normal form and 
checking that two terms are definitionally equal. For instance, assuming we have 
added natural numbers to the theory and defined factorial, we can use these 
commands to compute the factorial of 3 and check that it is equal to 6. 


let fact3 : Tm(N) := @(fact, S(S(S(@)))) 
eval fact3 


let 6 : Tm(N) := S(S(S(S(S(S(@)))))) 
check fact3 = 6 


The implementation also comes with some examples of theories that can be 
defined in the framework, along with some examples of terms written in these 
theories. In the directory examples/ we can find the following files: 


— mltt.bitt : Martin-L6f Type Theory with a type-in-type Tarski-style uni- 
verse, II and È types, lists, booleans, and the unit, empty and W types. 

— mltt-coquand.bitt : Martin-Léf Type Theory with a hierarchy of (weak) cu- 
mulative Coquand-style universes and universe polymorphism, with II types 
and natural numbers. 

— hol.bitt : Higher-Order Logic (also known as Simple Type Theory) with 
implication and universal quantification. 


2 The implementation 


The core of the implementation can be separated into two main parts: the type- 
checking and the normalization algorithms. Let us now discuss them in detail. 


Normalization 


Because the theories we support are dependently-typed, typechecking terms re- 
quires equality checking, which in turn requires reducing terms to normal form. 
In order to do so, we have implemented an untyped variant of Normalization by 
Evaluation (NbE), inspired by the works of Coquand [4], Abel [1] and Kovacs [8]. 
In NbE, terms are evaluated into a separate syntax of runtime values, in which 
binders are represented by closures and free variables by unknowns. Values can 
then be compared for equality by entering closures and recursively evaluating 
and comparing their bodies. One of the benefits of this approach is that, by 
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using de Bruijn indices in the syntax of regular terms but de Bruijn levels in the 
syntax of values, we completely avoid the need of implementing substitution or 
index-shifting functions. 

Let us go through the main functions used to implement normalization. In 
the following, we only discuss those that operate on terms, but each one has a 
counterpart for metavariable substitutions. First, because the definitional equal- 
ity of theories is generated by customizable rewrite systems, rewriting requires 
matching against patterns. This is done by the function 


val match_tm : p_tm -> v_tm -> v_msubst 


which matches a term value against a term pattern and produces a metavariable 
substitution of values (the prefix p_ stands for pattern, while v_ stands for value). 
This is then used in the function 


val eval_tm : tm -> v_msubst -> v_subst -> v_tm 


which evaluates a term under a v_subst mapping occurring variables to values 
and a v_msubst mapping occurring metavariables to values or closures. This is 
done by recursively evaluating subterms, then trying to match against one of the 
rewrite rule’s left hand sides and finally recursively evaluating the right hand side 
under the metavariable substitution returned by matching. 

Finally, values can be checked for equality with the function 


val equal_tm : v_tm -> v_tm -> int -> unit 


which recursively enters and evaluates closures while checking the result for 
equality, and raising an exception when the two given terms are not equal. The 
third argument is used for generating fresh unknowns when entering closures. 


Typechecking 


The typechecking algorithm is composed of four main functions, each one im- 
plementing one of the judgment forms of the bidirectional system of [5]. 
Inference [+ t > T and checking I + t = T are implemented by the functions 


val infer : v_ctx -> v_subst -> tm -> v_tm 
val check : v_ctx -> v_subst -> tm -> v_tm -> unit 


the first returning the inferred sort and the second returning unit on success. 
Note that, following works such as [4,8,7], we tightly integrate it with the NbE 
algorithm by asking all inputs to be already in the syntax of values, with the 
exception of the subject of the typing judgment. Compared with the usual in- 
ference and checking judgments, note also the addition of the second argument 
v_subst used to map the variables of the context v_ctx to unknowns for when 
needing to evaluate the subject. 

The third judgment F | v: © + u & & used to typecheck metavariable 
substitutions is then rendered as the function 


val check_msubst : v_ctx -> v_subst -> v_msubst -> msubst -> mctx -> v_msubst 
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in which the argument corresponding to © is omitted for it is computationally 
irrelevant. We also return the value of the checked metavariable substitution, 
which comes in handy when coding the recursive case of its definition. Finally, 
the last judgment [+ T & sort is implemented by the function 


val check_sort : v_ctx -> v_subst -> tm -> unit 


whose type signature follows the same reasoning as above. 


Differences with respect to the theory 


We highlight some relevant differences regarding the theory presented in [5]. 

First, we do not support matching inside binders, which restricts the set of 
patterns we can write. For instance, while the pattern 2(x.t{x}) is accepted, the 
pattern 1(x.S(t{x})) (assuming that S is a constructor) would be rejected by 
the implementation. This is because matching against it would require matching 
inside a closure and then reading back the result into the syntax of terms, which 
would be highly inefficient with our NbE setup. Thankfully, matching inside 
binders is almost never needed and none of our provided examples require it. 

Second, even though the inference system for matching and the proof of 
decidability of conversion in [5] employ the maximal outermost strategy, our 
NbE normalizer uses instead a call-by-value strategy. The maximal outermost 
strategy has the theoretical advantage over call-by-value of being normalizing, 
which means that it always terminates for weak normalizing theories. However, 
most theories used in practice are either strong normalizing or not normalizing at 
all. Moreover, call-by-value can be implemented very easily using our described 
NbE setup, which is the reason we opted for it instead. 

Third, instead of defining the typing functions over a specific grammar of 
checkable/inferable terms as done in [5], we define them over the grammar of 
(regular) terms. This means that these functions might discover in the process 
that the term given is not checkable/inferable, in which case an error is given. 

Finally, as seen in Section 1 our implementation also extends the bidirectional 
system with top-level definitions, which is crucial for allowing to write terms in 
a user-friendly manner. 


3 Future work 


The current implementation is still a prototype and can be extended in various 
ways. In particular, error handling is still rudimentary and improving it will be 
key in order to make BiTTs more user-friendly. 

We also plan to further test our implementation with larger and more real- 
istic examples. In particular, we would like to compare it with typecheckers for 
Dedukti [2,3], a framework aimed at providing a universal typechecker geared to- 
wards proof-system interoperability. Because Dedukti has no support for erased 
arguments, its terms are highly-annotated, which can have an important impact 
on performance. Our support for non-annotated syntaxes should therefore allow 
for shorter typechecking times, an hypothesis we hope to confirm with these tests. 
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Abstract. Multiparty session types (MSTs) are a type-based approach to veri- 
fying communication protocols, represented as global types in the framework. 
We present a precise subtyping relation for asynchronous MSTs with communi- 
cating state machines (CSMs) as implementation model. We address two prob- 
lems: when can a local implementation safely substitute another, and when does 
an arbitrary CSM implement a global type? We define safety with respect to a 
given global type, in terms of subprotocol fidelity and deadlock freedom. Our 
implementation model subsumes existing work which considers local types with 
restricted choice. We exploit the connection between MST subtyping and refine- 
ment to formulate concise conditions that are directly checkable on the candidate 
implementations, and use them to show that both problems are decidable in poly- 
nomial time. 


Keywords: Protocol verification - Multiparty session types - Communicating 
state machines - Subtyping - Refinement. 


1 Introduction 


Multiparty session types (MSTs) are a type-based approach to verifying commu- 
nication protocols. In MST frameworks, a communication protocol is expressed as a 
global type, which describes the interactions of all protocol participants from a birds- 
eye view. The key property of interest in MST frameworks is implementability, which 
asks whether there exists a collection of local implementations, one per protocol par- 
ticipant, that is deadlock-free and produces the same set of behaviors described by the 
global type. The latter property is known as protocol fidelity. Given an implementable 
global type, the synthesis problem asks to compute such a collection. To solve im- 
plementability and synthesis, MST frameworks are often equipped with a projection 
operator, which is a partial map from global types to a collection of local implementa- 
tions. Projection operators compute a correct implementation for a given global type if 
one exists. 

However, projection operators only compute one candidate out of many possible 
implementations for a given global type, which narrows the usability of MST frame- 
works. As we demonstrate below, substituting this candidate can in some cases achieve 
an exponential reduction in the size of the local implementation. Furthermore, appli- 
cations may sometimes require that an implementation produce only a subset of the 


© The Author(s) 2024 
S. Weirich (Ed.): ESOP 2024, LNCS 14576, pp. 176-205, 2024. 
https://doi.org/10.1007/978-3-03 1-57262-3_8 


Deciding Subtyping for Asynchronous Multiparty Sessions 177 


global type’s specified behaviors. We refer to this property as subprotocol fidelity. For 
example, a general client-server protocol may customize the set of requests it handles to 
the specific devices it runs on. Subtyping reintroduces this flexibility into MST frame- 
works, by characterizing when an implementation can replace another while preserving 
desirable correctness guarantees. 

Formally, a subtyping relation is a reflexive and transitive relation that respects 
Liskov and Wing’s substitution principle (39): T’ is a subtype of T when T’ can be 
safely used in any context that expects a term of type T. While implementability for 
MSTs was originally defined on syntactic local types (291/31), other implementation 
models have since been investigated, including communicating session automata (21) 
and behavioral contracts (16). We motivate our work with the observation that a subtyp- 
ing relation is only as powerful as its notion of safety, and the expressivity of its under- 
lying implementation model. Existing subtyping relations adopt a notion of safety that 
is agnostic to a global specification. For example, define safety as the successful 
completion of a single role in binary sessions, [36] defines safety as eventual reception 
and progress of all roles in multiparty sessions, and defines safety as the termi- 
nation of all roles in multiparty sessions. As a result, these subtyping relations eagerly 
reject subtypes that are viable for the specific global type at hand. In addition, existing 
implementation models are restricted to local types with directed choice for branching, 
or equivalent representations thereof (91, which prohibit a role from sending messages 
to or receiving messages from different participants in a choice. This restrictiveness 
undermines the flexibility that subtyping is fundamentally designed to provide. 

We present a subtyping relation that extends prior work along both dimensions. We 
define a stronger notion of safety with respect to a given global type: a substitution is 
safe if in all well-behaved contexts, the resulting implementation satisfies both deadlock 
freedom and subprotocol fidelity. We assume an implementation model of unrestricted 
communicating state machines (CSMs) communicating via FIFO channels, which 
subsumes implementation models in prior work (pol[26|[36), We demonstrate that this 
generalization renders existing subtyping relations which are precise for a restrictive 
implementation model incomplete. As a result of both extensions, our subtyping rela- 
tion requires reasoning about available messages for completeness, a novel feature 
that is absent from existing subtyping relations. 

Our result applies to global types with sender-driven choice, which generalize global 
types from their original formulation with directed choice (31), and borrows insights 
from recent work on a sound and complete projection operator for this class of global 


types [38]. 


Contributions. In this paper, we present the first precise subtyping relation that guar- 
antees deadlock freedom and subprotocol fidelity with respect to a global type, and that 
assumes an unrestricted, asynchronous CSM implementation model. We solve the Pro- 
tocol Verification problem and the Protocol Refinement problem with respect to global 
type G and a set of roles P: 


1. Protocol Verification: Given a CSM A, does A implement G? 

2. Protocol Refinement: Let p be a role and let B be a safe implementation for p in any 
well-behaved context for G. Given A, can A safely replace B in any well-behaved 
context for G? 
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We exploit the connection between MST subtyping and CSM refinement to formulate 
concise conditions that are directly checkable on candidate state machines. Using this 
characterization, we show that both problems are decidable in polynomial time. 


2 Motivation 


We first showcase that sound and complete projection operators can yield local imple- 
mentations that are exponential in the size of its global type, but can be reduced to 
constant size by subtyping. We then demonstrate the restrictiveness of existing subtyp- 
ing relations both in terms of their notion of safety and their implementation model. 


Subset projection with exponentially many states. We first construct a family of im- 
plementable global types Gn for n € N such that G, has size linear in n and the 
deterministic finite state machine for q that recognizes the projection of the global lan- 
guage onto q’s alphabet X4, denoted £(G,, J} x, has size exponential in n. 

The construction of the G,,’s builds on the regular expression (a*(ab*)"a)*, which 
can only be recognized by a deterministic finite state machine that grows exponentially 
with n [23| Thm. 11]. 

First, we construct the part for (ab*)*a recursively. In global types, p—+q:m de- 
notes role p sending a message m to role q, + denotes choice, ut binds a recursion 
variable t that can be used in the continuation, and 0 denotes termination. 


p—>r:m3.p—>q:b. tzi 


Gi := paaie mtas + | fri>0 and Go:=p>q:a.tı 


porns. Gi_1 
Here, each G; for i > 0 generates (ab*) and Go adds the last a. Role p’s choice to 
send either m3 or ng to r respectively encodes the choice to continue iterating b’s or 
to stop in b*; q however, is not involved in this exchange and thus q’s local language is 
isomorphic to (ab*)*a. 

Next, we define some scaffolding G(-) for the outermost Kleene Star and the first a*: 


>r:m2.p>q:a.t 
p-rrim nta + fÈ ees g 


G(G") := pty. + p>r:nz. G” 


p>r:nı.0 


We combine both to obtain the family Gn := G (Gn). 

As Gn is implementable, the subset projection for each role is defined. One 
feature of the implementations computed by this projection operator is local language 
preservation, meaning that the language recognized by the local implementation is pre- 
cisely the projection of the global language onto its alphabet, e.g. £(G,,)4) 5, for role q 
with alphabet X4. In this case, because L(G, )) x, can only be recognized by a deter- 
ministic finite state machine with size exponential in n, the corresponding local lan- 
guage preserving implementation also has size exponential in n. 

However, not all implementations need to satisfy local language preservation. Con- 
sider the type pit.(p > q:0.t+p—q:b.0). The projection of the global language onto q 
limits q to only receiving a sequence of o messages terminated by a b message. How- 
ever, an implementation for g can rely on p to send correct sequences of messages, and 
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O paq? m OC pir?m OC O paq? m O par?m O 
par?m 


(a) A (b) B 


Fig. 1: Two state machines for role q 


instead accept any message that it receives. A similar pattern arises in the family Gn, 
where the exponentially-sized implementation for role q can simply be substituted with 
an automaton that allows to receive any message from p. 


The restrictiveness of existing MST subtyping relations. Consider the two imple- 
mentations for role p, represented as finite state machines A and B in Figs. [la]and|1b] 
State machine A embodies the idea of input covariance by adding receive actions, 


namely | paq? m ;, which denotes role p receiving a message m from role q. But is it 
the case that A is a subtype of B? A preliminary answer based on prior work 
is no, for the reason that A falls outside of the implementation models considered in 
these works: the initial state in A contains outgoing receive transitions from two dis- 
tinct senders, q and r, and one of the final states contains an outgoing transition. Thus, 
there exists no local type representation of A. 

As a first step, let us generalize the implementation model to machines with ar- 
bitrary finite state control, and revisit the question. It turns out that the answer now 
depends on what protocol role p, alongside the other roles in the context, is following. 
Consider the two global types 


Gi:=q->p:m.r>p:m.0 and G2 :=q-p:m.0 


We observe that A is a subtype of B under the context of Ge, but not under the context 
of G,. Suppose that roles q and r are both following Gj, and thus both roles send a 
message m to p. Under asynchrony, the two messages can arrive in p’s channel in any 
order; this holds even in a synchronous setting. Therefore, there exists an execution 


trace in which p takes the transition labeled | par? m |in A and first receives from r. 


Role p then finds itself in a final state with a pending message from q that it is unable to 
receive, thus causing a deadlock in the CSM. On the other hand, if q were following G2, 


the addition of the receive transition | p<r?m | is safe because it is never enabled, and 


thus A can safely compose with any context following Gə without violating protocol 
fidelity and deadlock freedom. 


3 Preliminaries 
We restate relevant definitions from (38). 


Words. Let X be a finite alphabet. X* denotes the set of finite words over X, X“ the 
set of infinite words, and X° their union 1* U X“. A word u € &”* is a prefix of word 
v E€ XÙ, denoted u < v, if there exists w € 3’ withu-w = v. 
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Message Alphabet. Let P be a set of roles and V be a set of messages. We define the 
set of synchronous events Sisync := {p>q:m| p,q € P and m E€ V} where p>q:m 
denotes that message m is sent by p to q atomically. This is split for asynchronous 
events. For a role p € P, we define the alphabet Xp, = {p>q!m|qeP, me V} 
of send events and the alphabet Xp, = {pdq?m | q E P, m E V} of receive events. 
The event pp q!m denotes role p sending a message m to q, and paq? m denotes role p 
receiving a message m from q. We write Ap = Xp) U Xp 7, 21 = User Sp,!, and 
= User 2p,?. Finally, Xasyne = © U 27. We say that p is active in x € Done 
if x € Xp. For each role p € P, we define a homomorphism |) 5, where «5, = a if 
x € Xp and £ otherwise. We fix P and Y in the rest of the paper. 


Global Types — Syntax. Global types for MSTs are defined by the grammar: 


G:=0 | Sop ai:mi.G; | wt.G | t 
iel 
where p, q; range over P, m; over V, and t over a set of recursion variables. 

We require each branch of a choice to be distinct: Vi, j € I.i Æ j > (qi, mi) Æ 
(qj, mz), the sender and receiver of an event to be distinct: p Æ q; for each i € I, and 
recursion to be guarded: in pt. G, there is at least one message between ut and each t 
in G. We omit X` for singleton choices. When working with a protocol described by a 
global type, we use G to refer to the top-level type, and G to refer to its subterms. 

We use the extended definition of global types from featuring sender-driven 
choice. This definition subsumes classical MSTs that only allow directed choice (31). 
We focus on communication primitives and omit features like delegation or parametriza- 
tion, and refer the reader to {7|for a discussion of different MST frameworks. 


Global Types — Semantics. As a basis for the semantics of a global type G, we construct 
a finite state machine GAut(G) = (Qe, Xsync, dG, do,a, Fa) where 


— Qa is the set of all syntactic subterms in G together with the term 0, 

- dq consists of the transitions (}),-; P> qi : Mi-Gi, p— qi : Mi, Gi) for each i € T, 
as well as (jit.G’, £, G’) and (t, €, ut.G’) for each subterm ut.G”, 

- go,Gq = Gand Fg = {0}. 


We define a homomorphism split onto the asynchronous alphabet: 
split(pq:m) :=ppq!m.qdp?m . 


The semantics L(G) of a global type G is given by C~(split(£(GAut(G)))) where 
C™ is the closure under the indistinguishability relation ~ (40}. Two events are inde- 
pendent if they are not related by the happened-before relation (33). For instance, any 
two send events from distinct senders are independent. Two words are indistinguishable 
if one can be reordered into the other by repeatedly swapping consecutive independent 
events. The full definition can be found in the extended version (37). 

We call a state qG € Qaa a pion ae state, denoted gg € Qa, for role p if 


there exists a transition qG —S qa € oa, a a receive originating state, denoted 


qa E€ Qa., for p if there exists a transition gg IEN, da’ € ða. We omit mention of 
role p when clear from context. 
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Communicating State Machine Ía). A = {Ap }pep is a CSM over P and V if A, = 
(Qp, Xp, Ops Go,p, Fp) is a deterministic finite state machine over X, for every p € P. 
Let I] J pep Qp denote the set of global states and Chan = {(p, q) | p,q E P, p # q} 
denote the set of channels. A configuration of A is a pair (5, £), where & is a global 
state and € : Chan — V* is a mapping from each channel to a sequence of messages. 
We use 5, to denote the state of p in Ss. The CSM transition relation, denoted —, is 
defined as follows. 


- (5,) i (8", £) if (5), p>q!m, 55) © op, 5 = 5, for every role r # p, 
E' (p,q) = €(p,q) - mand E’ (c) = €(c) for every other channel c € Chan. 
qip?m 


— (5,6) ——> (8",€') if (5,4<p?m, 54) © bq S = 5, for every role r # q, 
&(p,q) = m- €'(p, q) and é’(c) = €(c) for every other channel c € Chan. 


In the initial configuration (59, £o), each role’s state in Sp is the initial state qo, of Ap, 
and £o maps each channel to £. A configuration (5, €) is said to be final iff 5, is final 
for every p and € maps each channel to £. Runs and traces are defined in the expected 
way. A run is maximal if either it is finite and ends in a final configuration, or it is 
infinite. The language L(A) of the CSM A is defined as the set of maximal traces. 
A configuration (8, £) is a deadlock if it is not final and has no outgoing transitions. 
A CSM is deadlock-free if no reachable configuration is a deadlock. 


Definition 3.1 (Implementability). We say that a CSM 4 A, pep implements a global 
type G if the following two properties hold: (i) protocol fidelity: L({Ap}perp) = 
L(G), and (ii) deadlock freedom: 4 A, pep is deadlock-free. A global type G is im- 
plementable if there exists a CSM that implements it. 


One candidate implementation for global types can be computed directly from 
GAut(G), by removing actions unrelated to each role and determinizing the result. 
The following two definitions define this candidate implementation in two steps. 


Definition 3.2 (Projection by Erasure [38]). Let G be some global type with its state 
machine GAut(G) = (Qe, Xsync, 9G; 90,4; Fa). For each role p € P, we define the 


split(a){ 
state machine GAut(G) |, = (Qe, Sp {Ee}, 61, do,a, Fa) where ô, := {q BADAN 


q' | q & € ôa}. By definition of split(-), it holds that split(a)} s, € Xp © {€}. 
We determinize GAut(G)J, via a standard subset construction to obtain a de- 


terministic local state machine for p. Note that the construction ensures that Q, only 
contains subsets of Qg whose states are reachable via the same traces. 


Definition 3.3 (Subset Construction BSI). Let G be a global type and p be a role. 
Then, the subset construction for p is defined as 


€ (G, p) = (Qp Lp dp: S0,p> F,) where 


- 6(s,a):={¢ € Qa | 3q € 8,¢ 33% q' € ô|}, for every s C Qa anda € Xp, 
— S0,p ‘= ue Qa | q,a >* qE}, 
- Qp := IPs 0@- QU{6(s,a)| sE QA^aE Ep} \ {0} 
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-= dp = lQ, x Zp and 
- F, := {s E Qp | sN Fe Fb}. 


Li et al. showed that if G is implementable, then {@(G, p) }pep implements G 
and satisfies the following property: 


Definition 3.4. Let G be a global type. We call an implementation { A, pep local 
language preserving with respect to G if L( Ap) = L(G)», forall p € P. 


For the remainder of the paper, we fix a global type G that we assume is imple- 
mentable. 


4 Deciding Protocol Verification 


Protocol Verification asks: Given a CSM A, does A implement G? For two CSMs A 
and B, we say that A refines B if and only if every trace in A is a trace in 5, and a 
trace in A terminates maximally in A if and only if it terminates maximally in B. If 
A and B refine each other, we say that they are equivalent. Further, in the case that 6 
is deadlock-free, one can simplify the condition to the following: every trace in A is a 
trace in B, and if a trace terminates in A, then it terminates in 6 and is maximal in A. 

We can recast Protocol Verification in terms of CSM refinement using the fact that 
{© (G, p)} pep is an implementation for G. Therefore, the question amounts to asking 
whether A and {@(G, p) }pep are equivalent. 

Our goal is then to present a characterization C4 that satisfies the following: 


Theorem 4.1. Let G be an implementable global type and A be a CSM. Then, the 
subset construction 4C (G, p) }pep and A are equivalent if and only if C is satisfied. 


We motivate our characterization for Protocol Verification using a series of exam- 
ples. Consider the following simple global type G1: 


>q:b.q—p:b.0 
G =4 q:b.q>p 
p>œ>q:m.q—>p:m.0 


This global type is trivially implementable; the subset construction for role q obtained 
by the projection operator in is depicted in Fig. Clearly, in any CSM imple- 
menting G4, the subset construction can be replaced with the more compact state ma- 
chine A,, shown in Fig. [2b] 

For a local state machine in a CSM, control flow is determined by both the local 
transition relation and the global channel state. However, in some cases, the local in- 
formation is redundant: the role’s channel contents alone are enough to enforce that it 
produces the correct behaviors. In the example above, after p chooses to send q either 
m or b, q will guarantee that the correct message, i.e. the same one, is sent back to p. 
Role p’s state machine can rely on its channel contents to follow the protocol — it does 
not need separate control states for each message. In fact, we can further replace p’s 
control states after sending with an accepting universal receive state, as shown in A» in 
ne Bd Finally, we can add send transitions from unreachable states, as shown in A3 in 


Fig. 
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(b) Aı 


ppq!b 5 
—{ — jpa! 
paq? m poq!m past 


(a) (G1, p) (c) A2 (d) As 
Fig. 2: Subset construction of G, onto p and three alternative implementations 


poq!o paq?b 


poq!b poq!o P 
O poq!m O O pasis 
(c) As 


poqlo paq?m 


(a) € (G2,p) 


Fig. 3: Subset construction of G2 onto p and two alternative implementations 


Similar patterns arise for send actions. Consider the following variation of the first 
global type, G2: 


>q:b.p—>r:0.q—>p:b.0 
G=? q:b.p q>p 


The subset construction from yields the state machine for p shown in Fig. Bal 

Our reasoning above shows that A4, depicted in Fig. is a correct alternative 
implementation for p. Now observe that the pre-states of the two pp>q!o transitions 
can be collapsed because their continuations are identical. This yields another correct 
alternative implementation As, shown in Fig. 3c] 

Informally, the subset construction takes a “maximalist” approach, creating as many 
distinct states as possible from the global type, and checking whether they are enough 
to guarantee that the role behaves correctly. However, sometimes this maximalism cre- 
ates redundancy: just because two states are distinct according to the global type does 
not mean they need to be. In these cases, an implementation has the flexibility to merge 
certain distinct states together, or add transitions to a state. We wish to precisely char- 
acterize when such modifications to local state machines preserve protocol fidelity and 
deadlock freedom. 

Our conditions for C4 are inspired by the Send and Receive Validity conditions that 
precisely characterize implementability for global types, given in (38). We restate the 
conditions, in addition to relevant definitions, for clarity. 


p>q:m.p>r:0.q>p:m.0 


Definition 4.2 (Available messages j40)). The set of available messages is recursively 
defined on the structure of the global type. For completeness, we need to unfold the dis- 
tinct recursion variables once. For this, we define a map getu from variable to subterms 
and write getug for getu(G): 
getu(0) := |] getu(t) := [] getu(ut.G) := [t => G] U getu(G) 
get ricer P> Uu: mMi-Gi) = Use, getu(Gi) 
The function Me keeps a set of unfolded variables T, which is empty initially. 
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o iftET 
MT := MET a = METIO Me) = 
is .G... Gass da B,TU{t} i 
(0...) (ut.G...) (G...) (t...) MBG o opier 
B,T = Uiermev Meni \ {poq:!m}) U {poq:i!m:} ifp gB 
ee Vier he aa ifp € B 


We write Mé... for Mey If B is a singleton set, we omit set notation and write 
Mfg... for Me, 

Intuitively, the available messages definition captures all of the messages that can 
be at the head of their respective channels when a particular role is blocked from taking 
further transitions. 

For tional convenience, we define the origin and destination of a transition fol- 
lowing , but generalized from the subset construction automaton. 


Definition 4.3 (Transition Origin and Destination). Let G be a global type and let 
ô, be the transition relation of GAut(G)|,. For x € X, and s,s’ C Qe, we define the 
set of transition origins tr-orig(s “> s’) and transition destinations tr-dest(s > s’) 
as follows: 


tr-orig(s > s’) := {Ges | 3G' ¢s'.G 4* G' € ô} and 
tr-dest(s > s’) := {G' € s' | IG E€ s.G5* Ged}. 


Li et al. el showed that G is implementable if and only if the subset construction 
CSM {@(G, p) } pep satisfies Send and Receive Validity for each € (G, p). 


Definition 4.4 (Send Validity). € (G, p) satisfies Send Validity iff every send transi- 
tions Š s' € dp is enabled in all states contained in s: 


Vs > s' € dp. cE Xp) => trorig(s > s’) =s . 


Definition 4.5 (Receive Validity). @(G, p) satisfies Receive Validity iff no receive 
transition is enabled in an alternative continuation that originates from the same source 
state: 


pdiqi?my paq2? m2 
Vs + $1, 8 > s2 EÔ. 
, P 


p<aq2? M2 


qı #q2 => V Go € tr-dest(s ———> s2). qipp!mi ¢ Mig...) : 


We wish to adapt these conditions to define C1. However, unlike Send and Receive 
Validity, which are defined on special state machines, namely the subset construction 
for each role, the Protocol Verification problem asks whether arbitrary state machines 
implement the given G. 

We first present a state decoration function which maps local states in an arbitrary 
deterministic finite state machine to sets of global states in G. Intuitively, state decora- 
tion captures all global states that can be reached in the projection by erasure automaton 
GAut(G)}4 on the same prefixes that reach the present state in the local state machine. 
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Definition 4.6 (State decoration with respect to G). Let p € P be a role and let 
A = (Q, Xp, 80,6, F) be a deterministic finite state machine for p. Let GAut(G)}p 
= (Qa, Xp © {£}, 5), qo,a, Fa) be p’s projection by erasure state machine for G. We 
define a total function dg, 4: Q —> 226 that maps each state in A to a subset of states 
in GAut(G){, such that: 


dg ap(s) = {4 E Qa | Ju € 25+ 80 A*s E ô ^ qoa =)" qed}. 


We refer to dg, A,p(s) as the decoration set of s, and omit the subscripts G, A, p when 
clear from context. 


Remark 4.7. Note that the subset construction can be viewed as a special state machine 
for which the state decoration function is the identity function. In other words, for all 
s E€ Qp where Q, is the set of states of € (G, p), d(s) = s. 


We are now equipped to present C}. 


Definition 4.8 (C1). Let G be a global type and A be a CSM. C; is satisfied when for 
all p € P, with A, = (Qp, Xp, dp, S0,p, Fp) denoting the state machine for p in A, the 
following conditions hold: 


— Send Decoration Validity: every send transition s Š s' € dp is enabled in all states 


decorating s: 


ppq!m 


Vs ——> s’ € dp. tr-orig(d(s) an, 


d(s’)) = d(s). 


— Receive Decoration Validity: no receive transition is enabled in an alternative con- 


tinuation originating from the same state: 
paq? Mı 
Vs 


> $1, $ Š s2 € Ôp. T Æ paq? => 
VG" € tr-dest(d(s) = d(s2)). qi>p!mi ¢ Mear) 
— Transition Exhaustivity: every transition that is enabled in some global state deco- 


rating s must be an outgoing transition from s: 
Vs € Q. YG 5* G' € ô. G € d(s) => Is' € Q. s 5 s' € õp. 


— Final State Validity: a reachable state with a non-empty decorating set is final if its 
decorating set contains a final global state: 


Vs €Q.d(s) #0 = (d(s)N Fe #0 = sef). 
We want to show the following equivalence to prove Theorem 
C; & A refines {@(G, p) }pep and {46 (G, p) yep refines A. 


We address soundness (the forward direction) and completeness (the backward di- 
rection) in turn. Soundness states that C is sufficient to show that A preserves all 
behaviors of the subset construction, and does not introduce new behaviors. 

We say that a state machine A for role p satisfies Local Language Inclusion if it 
satisfies L(G) s, C L(A). The following lemma, proven in the extended version (37). 
establishes that Local Language Inclusion follows from Transition Exhaustivity and 
Final State Validity. 
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Lemma 4.9. Let A, = (Qp, Xp, dp, 80,p, Fp) denote the state machine for p in A. Then, 
Transition Exhaustivity and Final State Validity imply L(G) 5, © L(Ap). 


The fact that A preserves behaviors follows immediately from Local Language In- 
clusion. The fact that A does not introduce new behaviors, on the other hand, is enforced 
by Send Decoration Validity and Receive Decoration Validity. 

In the soundness proof for each of our conditions, we prove refinement via structural 
induction on traces. We show refinement in two steps, first showing that any trace in one 
CSM is a trace in the other, and then showing that any terminated trace in one CSM is 
terminated in the other and maximal. 

We recall two definitions from used in the soundness proof. 


Definition 4.10 (Intersection sets). Let G be a global type and GAut(G) be the cor- 
responding state machine. Let p be a role and w E€ i gync be a word. We define the set 
of possible runs RS (w) as all maximal runs of GAut(G) that are consistent with p’s 


local view of w: 
RF (w) := {p is a maximal run of GAut(G) | w} s, < split(trace(p))} s} - 


We denote the intersection of the possible run sets for all roles as 


I(w) := (] RF (w) . 


pEP 


Definition 4.11 (Unique splitting of a possible run). Let G be a global type, p a role, 
and w E Xùsync 4 Word. Let p be a possible run in RS (w). We define the longest prefix 


of p matching w: 
a’ := max{p' | pP <p A split(trace(p'))}} s, <Sutys} . 


Tf al’ + p, we can split pinto p = a- G 4 a. B where a! = a- G, G@' denotes the state 
following G, and 8 denotes the suffix of p following a- G- G". We call a- G 4 æ. B the 
unique splitting of p for p matching w. We omit the role p when obvious from context. 
This splitting is always unique because the maximal prefix of any p € RF (w) matching 
w is unique. 


Lemma 4.12 (Soundness of C1). C4 implies that A and {@(G,p)} pep are equiva- 
lent. 


Proof. The proof that Cı implies 46 (G, p)}pep refines A depends only on Local 
Language Inclusion and can be straightforwardly adapted from Lemma 4.4]. We 
instead focus on showing that C implies A refines {@(G, p)}łpep, which depends 
on the other two conditions in C4. First, we prove that any trace in A is a trace in 
{(G,p) Per: 
Claim 1: Y w E€ Sync: w is a trace in A implies w is a trace in {@(G, p) } pep. 

We prove the claim by induction for all finite w. The infinite case follows from the 
finite case because {€ (G, p) }pep is deterministic and all prefixes of w are traces of A 
and, hence, of {@(G, p) pep. The base cases, where w = e, is trivially discharged by 
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the fact that € is a trace of all CSMs. In the inductive step, assume that w is a trace of A. 
Let  € X'async Such that wa is a trace of A. We want to show that wz is also a trace of 
{€(G, p) Hep. 

From the induction hypothesis, we know that w is a trace of {@(G, p) pep. Let € 
be the channel configuration uniquely determined by w. Let (5, €) be the A configura- 
tion reached on w, and let (t, £) be the {@(G, p)}pep configuration reached on w. 

Let q be the role such that x € X4, and let s, t denote 54, ty from the respective 
CSM configurations reached on w for A and {@(G, p) }pep. 

To show that wz is a trace of {6 (G, p) }pep, it thus suffices to show that there 
exists a state ¢’ and a transition t 5 t’ in € (G, q). 

Since {@(G, p)}pep implements G, all finite traces of {@(G, p) }pep are pre- 
fixes of £(G). In other words, w € pref(£(G)). Let p be a run such that p € I(w); 


such a run must exist from [38| Lemma 6.3]. Leta: G SG b be the unique splitting 
of p for q matching w. From the definition of state decoration, it holds that G € d(s). 
From the definition of the subset construction, it holds that G € t. 

We proceed by case analysis on whether x is a send or receive event. 


x : pr! F 
- Case x € Xq,- Let x = q>r!m. By assumption, there exists s LET, s'in Ag. We 
instantiate Send Decoration Validity from Cı with q and this transition to obtain: 


tr-orig(d(s) Z= d(s)) = d(s) . 


From G € d(s), it follows that there exists G’ € Qa such that G * G’ € ô. 


! 
Because G € t, the existence of t/ such that t 55 t is a transition in @(G, p) 
follows immediately from the definition of @(G, q)’s transition relation. 
- Case x € X47. Let x = qar? m. 


From the fact that p is a maximal run in G with unique splitting a -G 4 æ. B for 
q matching w, it holds that wis + split(l)} s, € pref(£L(G))} s, From 
Lemma 4.3], £(G))s, = L£(@(G,q)). Therefore, there exists a ¢” such that 


split(s, y, en . = 
———» t is a transition in @(G, q). From Transition Exhaustivity, there 


split(/)Is 
likewise exists an s” such that s —————» s” is a transition in Ag. 


We now proceed by showing that it must be the case that split (l) Js, = x. The 
reasoning closely follows that in Lemma 6.4], which showed that if Receive 
Validity holds for the subset construction, and some role’s subset construction au- 
tomaton can perform a receive action, then the trace extended with the receive 
action remains consistent with any global run it was consistent with before. We 
generalize this property in terms of available message sets in the following lemma, 
whose proof can be found in the extended version (37). 


Lemma 4.13. Let A be a CSM, q be a role, and w, wx be traces of A such that 
x =q<r?m. Let s be the state of q’s state machine in the A configuration reached 
on w. Let p be a run that is consistent with w, i.e. for all p E€ P. ws, < 


split(trace(p)))s.. Leta-G4@G. B be the unique splitting of p for q match- 
ing w. Ifr>q!m ¢ Migr. then x = split (l) s 
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We wish to apply Lemma with p to conclude that split(l)} s, = x. We 
satisfy the assumption that r>q!m ¢ M (ae...) by instantiating Receive Decora- 


split) 5, 


’ s ———> 3 and C. The fact that G’ € 


. oe : ar? 
tion Validity with s IE, g 


split(l)4 
tr-dest(d(s) pea ni! d(s’’)) follows from the fact that a - G 4+, G’. Bisa 


run in G and the definition of state decoration (Definition [4.6}. Thus, we conclude 
from split(l)} s, = x that there exists a transition t =; t in E(G, q). 


This concludes our proof that any trace in A is also a trace of {@(G, p) pep. 
Claim 2: V w € Xžsyne: Wis terminated in A => wis terminated in {@(G, p)}pep 
and w is maximal in A. 

Let w be a terminated trace in A. By Claim 1, w is also a trace in {6 (G, p) }peP. 
Let £ be the channel configuration uniquely determined by w. Let the 46 (G, p) }pep 
configuration reached on w be (Ë, €), and let (5, £) be the A configuration reached on w. 
To see that every terminated trace in A is also terminated in {6 (G, p) }pep, assume 
by contradiction that w is not terminated in {@(G, p)}pep. Because 46 (G, p) }pep 
is deadlock-free, there must exist a role that can take a step in 4% (G, p)}pep. Let q 
be this role, and let x be the transition that is enabled from fas From Local Language 
Inclusion and the fact that {@(G, p)}}pep is deadlock-free, it holds that x is also en- 
abled from 54. We arrive at a contradiction. To see that every terminated trace in A in 
maximal, from the above we know that w is terminated in {4% (G, p) }pep. From the 
fact that {@(G, p) }pep is deadlock-free, w is maximal in {@(G, p)}pep: all states 
in tare final and all channels in £ are empty. From Local Language Inclusion, it follows 
that all states in s are also final, and thus w is maximal in A. 


Lemma 4.14 (Completeness of C1). If A and {@(G, p)}pep are equivalent, then 
Cı holds. 


We show completeness via modus tollens: we assume a violation in C1 and the 
fact that A and {@(G, p) }pep are equivalent, and prove a contradiction. Since C4 is 
a conjunction of four conditions, we derive a contradiction from the violation of each 
condition in turn. In the interest of proof reuse, we specify which of the two refine- 
ment conjuncts we contradict for each condition, and refer the reader to the extended 
version for the full proofs. 

From the negation of Transition Exhaustivity and Final State Validity, we contradict 
the fact that {@(G, p) }pep refines A. 


Lemma 4.15. /f A violates Transition Exhaustivity or Final State Validity, then it does 
not hold that {€(G, p) pep refines A. 


Unlike the proofs for Transition Exhaustivity and Final State Validity, the proofs 
for the remaining two conditions require both refinement conjuncts to prove a contra- 
diction. Both proofs find a contradiction by obtaining a witness from the violation of 
Send Decoration Validity and Receive Decoration Validity respectively, and showing 
that the same witness can be used to refute Send and Receive Validity for the subset 
construction. 


Lemma 4.16. If A violates Send Decoration Validity or Receive Decoration Validity, 
then it does not hold that A and 4€ (G, p) }pep are equivalent. 
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>Op ram +O 


(a) State machine @(G, p) (b) State machine Bi 


Fig. 4: CSM violating subprotocol fidelity with respect to Groop 


5 Deciding Protocol Refinement 


We now turn our attention to Protocol Refinement, which asks when an implementation 
can safely substitute another in all well-behaved contexts with respect to G. Here, we 
introduce a new notion of refinement with respect to a global type. 


Definition 5.1 (Protocol refinement with respect to G). We say thata CSM { Ap} pep 
refines a CSM { Bp }pep with respect to a global type G if the following properties 
hold: (i) subprotocol fidelity: 4S C £(GAut(G)). L({Ap}oer) = C~(split(S)), 
(ii) language inclusion: L({{Ap}pep) C L({Bp}pep), and (iii) deadlock freedom: 
{Ap }pep is deadlock-free. 


Item[il subprotocol fidelity, sets our notion of refinement apart from standard refine- 
ment. We motivate this difference briefly using an example. Cexsider the CSM consist- 
ing of the subset construction for p and B}, depicted in Fig. l4 This CSM recognizes 
only words of the form (p>q!m)”. It is nonetheless considered to refine the global type 
Goop := ut. p —> q : m. t according to the standard notion of refinement, despite the 
fact that p’s messages are never received by q. This is because L(Gzoop), containing 
only infinite words, is defined in terms of an asymmetric downward closure operator 
<“, which allows receives to be infinitely postponed. We desire a notion of refinement 
that allows roles to select which runs to follow in a global type, but disallows them from 
selecting which words to implement among ones that follow the same run. More for- 
mally, our notion of protocol refinement prohibits selectively implementing words that 
are equivalent under the indistinguishability relation ~: any CSM that refines another 
with respect to a global type has a language that is closed under ~. 

In the remainder of the paper, we refer to refinement with respect to G, and omit 
mention of G when clear from context. Again using the fact that {@(G, p) }peP 
is an implementation for G, we say that a CSM {Ap} ep refines G if it refines 
{6(G,p)}oer. 

We motivate our formulation of the Protocol Refinement problem by posing the 
following variation of Protocol Verification, which we call Monolithic Protocol Refine- 
ment: 


Given an implementable global type G and a CSM A, does A refine {@(G, p) pep? 
This variation asks for a condition, Ch, that satisfies the equivalence: 
C1 & A refines {@(G, p) beep. 


Clearly, C1 is still a sound candidate as equivalence of two CSMs implies bi- 
directional protocol refinement. It is instructive to analyze why the completeness ar- 
guments for C fail. Recall that the completeness proofs for Send Decoration Validity 
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E poq!m 4 ppr!m € 


(a) State machine € (G, p) 


q<ip?m q<ir?b qpr!b rap?m r<iq?b 
O 10 ree. O Q Tae KJ ae 


q<ir?b raq?o 


(b) State machine Aj (c) State machine A} 


Fig. 5: Subset construction for p and two state machines for q and r for G’ 


and Receive Decoration Validity used the violation of each condition to obtain a local 
state with a non-empty decoration set, which in turn gives rise to a prefix in L(G) that 
must be a trace in the subset construction. This trace is then replayed in the arbitrary 
CSM, extended in the arbitrary CSM, and then replayed again in the subset construc- 
tion. This sequence of replaying arguments critically relied on both the assumption that 
A refines {@(G, p) pep. and the assumption that {@(G, p) } pep refines A. 

If we cannot assume that A recognizes every behavior of {46 (G, p) }pep, then the 
reachable local states of A are no longer precisely characterized by having a non-empty 
decoration set. 

Consider the example global type G’: 


>r:b.0 
r>q:b.p>r:m. of 
g x i q>r:0.0 
= i: 
Poed , , q>r:b.0 
r=>q:0.p>r:m. + 
q>r:0.0 


Let the CSM A’ consist of the subset construction automaton for p, and the state ma- 
chines Aq and A’, given in Figs. [Sb] ana [5c] The receive transitions highlighted in red 
are safe despite violating Receive Decoration Validity, because q and r coordinate with 
each other on which runs of G they eliminate: r chooses to never send a b to q, thus q’s 
highlighted transition is safe, and conversely, q never chooses to send o to r, thus r’s 
highlighted transition is safe. Consequently, A’ refines G’ despite violating C4. 

This example shows that any condition C that is compositional must sacrifice com- 
pleteness. In fact, deciding whether an arbitrary CSM A refines the subset construction 
{E (G, p) }pep for some global type G can be shown to be PSPACE-hard via a reduc- 
tion from the deadlock-freedom problem for 1l-safe Petri nets 24]. We refer the reader 
to the extended version for the full construction. 


Lemma 5.2. The Monolithic Protocol Refinement problem is PSPACE-hard. 


Fortunately, we can recover completeness and tractability by only allowing changes 
to one state machine in A at a time. Next, we formalize the notions of CSM contexts 
and well-behavedness with respect to G. We use A[-], to denote a CSM context with a 
hole for role p € P, and A[A], to denote the CSM obtained by instantiating the context 
with state machine A for p. We define well-behaved contexts in terms of the canonical 
implementation @(G, p). 
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(a) Removing sends (b) Removing receives 


Fig. 6: Two candidate implementations for p 


Definition 5.3 (Well-behaved CSM contexts with respect to G). Let A[-], be a CSM 
context. We say that A|-], is well-behaved with respect to G if A[@(G, p)|p refines G. 
We omit G when clear from context. 


Protocol Refinement asks to find a C2 that satisfies the following: 


Theorem 5.4. Let G be an implementable global type, p be a role, and A, B be state 
machines for role p such that for all well-behaved contexts A[:]p, A[B]p refines G. 
Then, for all well-behaved contexts A[-],, A[A]p refines A[B], if and only if C2 is 
satisfied. 


5.1 Protocol Refinement Relative to Subset Construction 


As a stepping stone, we first consider the special case of Protocol Refinement when B 
is the subset construction automaton for role p. That is, we present C% that satisfies the 
following equivalence: 


C, = for all well-behaved contexts A|-],, A[A], refines A[@(G, p)]p. 


The relaxation on language equality from Protocol Verification means that state ma- 
chine A no longer needs to satisfy Local Language Inclusion, which grants us more 
flexibility: state machines are now permitted to remove send events. Let us revisit our 
example global type, G1: 


>q:b.q—>p:b.0 
Gid n q:b.q—p 
p—-q:m.q—p:m.0 


Consider the candidate state machine for role p given in Fig.|6a} The CSM obtained 
from inserting this state machine into any well-behaved context refines G, despite the 
fact that p never sends m. In general, send events can safely be removed from reach- 
able states in a local state machine without violating subprotocol fidelity or deadlock 
freedom, as long as not all of them are removed. 

The same is not true of receive events, on the other hand. The state machine in 
Fig. [ob]is not a safe candidate for p, because it causes a deadlock in the well-behaved 
context that consists of the subset construction for every other role. 

Our characterization intuitively follows the notion that input types (receive events) 
are covariant, and output types (send events) are contravariant. However, note that the 
state machine above cannot be represented in existing works (| 20) [26}: their local 
types support neither states with both outgoing send and receive events, nor states with 
outgoing send or receive events to/from different roles. 
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Our characterization C/ reuses Send Decoration Validity, Receive Decoration Va- 
lidity and Final State Validity from C4, but splits Transition Exhaustivity into a sep- 
arate condition for send and receive events, to reflect the aforementioned asymmetry 
between them. 


Definition 5.5 (C3). Let p € P be a role and let A = (Q, Xp, 80,5, F) be a state 
machine for p. C4 is satisfied when the following conditions hold in addition to Send 
Decoration Validity, Receive Decoration Validity and Final State Validity: 


— Send Preservation: every state containing a send-originating global state must have 
at least one outgoing send transition: 
Vs € Q. IG € Qa G € dt) = AE Dy, S EQ.5s 5E. 


— Receive Exhaustivity: every receive transition that is enabled in some global state 
decorating s must be an outgoing transition from s: 
Vs € Q. YG >* G' € ô. G € d(s) Az E Yp? => As EQ.s 5 Eð. 


We want to show the following equivalence: 
C = for all well-behaved contexts A[:]p, A[A], refines A[@(G, p)]p. 
We first prove the soundness of C%. 


Lemma 5.6 (Soundness of C4). If C4 holds, then for all well-behaved contexts A|-|p, 
A[A], refines A[@(G, p)]p. 


Proof. Let A[-], be a well-behaved context with respect to G. Like before, we first 
prove that any trace in A[A], is a trace in A[@(G, p)]p. 
Claim 1: VY w E€ Syne W is a trace in A[A], => w isa trace in A[@(G, p)]p. 


The proof of Claim 1 for C4 differs from that for C4 in only two ways. We discuss 
the differences in detail below, and avoid repeating the rest of the proof. 


1. Cı grants that every role’s state machine satisfies Send Decoration Validity and Re- 
ceive Decoration Validity, whereas C2 only guarantees the conditions for role p. 
Correspondingly, A[A], only differs from A[@(G,p)], in p’s state machine; all 
other roles’ state machines are identical between the two CSMs. Therefore, the in- 
duction step requires a case analysis on the role whose alphabet the event x belongs 
to. In the case that x € X4 where q Æ p, the induction hypothesis is trivially re- 
established by the fact that q’s state machine is identical in both CSMs. In the case 
that x € Xp, we proceed to reason that x can also be performed by @(G, p) in the 
same well-behaved context. 

2. Cı includes Transition Exhaustivity, which allows us to conclude that given a run 


with unique splitting a - G 4 ee B for p matching w and the fact that G € s, 


. B split(I)4 z, ie: , i 
there must exist a transition s ——————> s” in p’s state machine. Lemma/4.13 


can then be instantiated directly with a- G 4a. b to complete the proof. C2, on 
the other hand, splits Transition Exhaustivity into Send Preservation and Receive 
Exhaustivity, and we can only establish that such a transition exists and reuse the 
proof in the case that split(1)) z, © Xp,7. Since A is permitted to remove send 
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; i fe split()) 5. m ; 
events, if split (l)} s, € Ly, the transition s —————> s” may not exist at all 


: : l : 
in A. However, the existence of a run a - G —> G” - 8 where lis a send event for p 
makes G a send-originating global state in p’s projection by erasure automaton. 
Send Preservation thus guarantees that there exists a transition s = s” in A such 
that x’ € Xp,- By Send Decoration Validity, x’ originates from G in the projec- 
: v ; 

tion by erasure, and we can find another run p’ such that a’ -G —> G” - p' is the 
unique splitting for p matching w and split(J’){/ s, = 2’. We satisfy the assump- 
tion that r>p!m ¢ Mor ) by instantiating Receive Decoration Validity with p, 

split(l’) 5 split (ls 

sã s,s => s” and G”. The fact that G” € tr-dest(de (s) > 


da (s”)) follows from the fact that a- G 1. gH - 8’ isarunin G and Definition|4.6 
Instantiating Lemma/4.13]with p’, we obtain split(l’)) s, = x, which is a contra- 


diction: x is a receive event and split(l’)\} s, is a send event. Thus, it cannot be 
the case that split (l')} s, € Xp,. 


This concludes our proof that any trace in A[A], is also a trace in A[@(G, p)]p. 
The following claim completes our soundness proof: 

Claim 2: Y w € Xžsync: Wis terminated in A[A], => wis terminated in A[@(G, p)]p 
and w is maximal in A[A]p. 

The proof of Claim 2 for C again relies on Local Language Inclusion, which is 
unavailable to C4. Instead, we turn to Send Preservation, Receive Exhaustivity and Fi- 
nal State Validity to establish this claim. Let w be a terminated trace in A[A]p. By 
Claim 1, it holds that w is a trace in A[@(G, p)|p. Let € be the channel configuration 
uniquely determined by w. Let (5, €) be the A[@(G, p)], configuration reached on w, 
and let (t,£) be the [A], configuration reached on w. To see that w is terminated 
in A[@(G, p)]p, suppose by contradiction that w is not terminated in A[@(G, p)]p. 
Because A[@(G, p)|, is deadlock-free, and because the state machines for all non-p 
roles are identical between the two CSMs, it must be the case that p witnesses the 
non-termination of w, in other words, @(G, p) can take a transition that A cannot. 
Let 5p Z, s' be the transition that p can take from 5p. Let G be a state in 5p; such a 
state is guaranteed to exist by the fact that no reachable states in the subset construc- 
tion are empty. Then, in the projection by erasure automaton, the initial state reaches G 
on wy. By the fact that w is a trace of A[A]p, it holds that sọ reaches 5, on wis, 


in A. By the definition of state decoration, G € d(t,). 


— If x € X), it follows that G is a send-originating global state. By Send Preservation, 
for any state in A that contains at least one send-originating global state, of which 


fe is one, there exists a transition i a t such that x’ € +). Because send 
transitions in a CSM are always enabled, role p can take this transition in A[Al]p. 
We reach a contradiction to the fact that w is terminated in A[A],. 

— If x € 27, it follows that G is a receive-originating global state. From Receive 
Exhaustivity, any receive event that originates from any global state in d (tp) must 
also originate from ty. Therefore, there must exist t such that ts “st is a transition 
in Bi. Because the channel configuration is identical in both CSMs, role p can 
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take this transition in A[A],. We again reach a contradiction to the fact that w is 
terminated in A[A],. 


To see that w is maximal in A[A],, observe that for all roles q Æ p, 54 = ts: Thus, it 
remains to show that tp is a final state in A. Because 5, is a final state, by the definition 
of the subset construction there exists a global state G € 5p such that the projection 
erasure automaton reaches G on wi) 5, and G is a final state. Because A reaches tp on 
wl} y, by Definition|4.6]it holds that G € d(t,). By Final State Validity, it holds that t 
is a final state in A. This concludes our proof that any terminated trace in A[A], is also 
a terminated trace in A[@(G, p)|p, and is maximal in A[A],. 

Together, Claim 1 and 2 establish that A[A], satisfies language inclusion (Item ii) 
and deadlock freedom (Item fiii}. It remains to show that A[A], satisfies subprotocol 
fidelity (Item i. This follows immediately from Lemma 22], which states that all 
CSM languages are closed under the indistinguishability relation ~. 


Lemma 5.7 (Completeness of C2). If for all well-behaved contexts A[-]p, A[A]p re- 
fines A€ (G, p)]p, then C; holds. 


As before, we prove the modus tollens of this implication, which states that if C4 
does not hold, then there exists a well-behaved context A[-], such that A[A], does not 
protocol-refine A[@(G, p)]p. 

We first turn our attention to finding a well-behaved witness context A|-], such that 
we can refute subprotocol fidelity, language inclusion, or deadlock freedom. It turns 
out that the context consisting of the subset construction automaton for every other role 
is a suitable witness. We denote this context by @(G)|-], and note that it is trivially 
well-behaved because @(G)|@(G, p)|p = {@(G, p) foe. 

Recall from the completeness arguments for C4 that we obtained a violating state 
in some state machine A with a non-empty decoration set from the negation of each 
condition in C4. From this state’s decoration set we obtained a witness global state G, 
and in turn a run a - G in G, and from the assumption that {@(G, p) } pep refines A, 
we argued that split(trace(a - G)) is a trace in A. We then showed that A is in the 
violating state in the A configuration reached on split(trace(a-:G)), and from there 
we used each violated condition to find a contradiction. 

The completeness proof for C4 cannot similarly use the fact that 46 (G, p) } pep re- 
fines € (G)[A]p. Instead, we must separately establish that every state with a non-empty 
decoration set can be reached on a trace shared by both @(G)[A], and {@(G, p) pep. 
The following lemma achieves this: 


Lemma 5.8. Let A be a state machine for p and s be a state in A. Let G € d(s), and let 
u € X} be a word such that so “s* s in A. Then, there exists a run a: G of GAut(G) 
such that split(trace(a-G))}y =u, split(trace(a-G)) is a trace in @(G)[A]p 
and in the CSM configuration reached on split(trace(a-G)), A is in state s. 


With Lemmal5.8]replacing the assumption that {46 (G, p) } pep refines 6 (G)[A]p, 
we can reuse the construction in Pee rar, obtain a word that is a trace in @(G)[A], 


but not a trace in {@(G, p) }}pep, thus evidencing the necessity of Send Decoration Va- 
lidity and Receive Decoration Validity. The proof of Lemmal5.9|proceeds identically to 
that of Lemma. 16Jand is thus omitted. 
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Lemma 5.9. If A violates Send Decoration Validity or Receive Decoration Validity, 
then it does not hold that for all well-behaved contexts A[:]p, A[A]p refines € (G)[A]p. 


We also use Lemma|5.8] to show the necessity of Send Preservation, Receive Ex- 
haustivity and Final State Validity. As a starting point, let A, s, u and a - G be ob- 
tained from Lemma]5.8]and the violation of Send Preservation. To show the necessity 
of Send Preservation, we consider the largest extension v of u in @(G)[A]p. In the 
case that u is terminated in @(G)[A], we refute deadlock freedom from the fact that 
u is not maximal: G € s is a send-originating state, and final states in GAut(G) do 


: ; hig ; qm 
not contain outgoing transitions. If v # u, there exists aruna-G PER Cae 


8 such that split(trace(a-G eae, G’- B)-s. = vlls.. By subprotocol fi- 
5, 5, 
G” - B)) is a trace in @(G)[A],. Consequently, 


split(trace(a- G ECHA 6))} x, is a prefix in A. We find a contradiction from 
the fact that A is deterministic and there is no outgoing transition labeled p>q!m from 
s. Similar arguments can be used to show the necessity of Receive Exhaustivity. Finally, 
for Final State Validity, in the case that s is non-final in A but contains a final state in 
GAut(G), we can instantiate Lemma|5.8|with this final state and show that u evidences 
a deadlock. 


delity, split(trace(a-G —— 


Lemma 5.10. Jf A violates Send Preservation, Receive Exhaustivity or Final State 
Validity, then it does not hold that for all well-behaved contexts A[:|p, A[A]p refines 
€(G)[A]p. 


5.2 Protocol Refinement (General Case) 


Equipped with the solution to a special case, we are ready to revisit the general case of 
Protocol Refinement, which asks to find a C% that satisfies the following: 


C2 = for all well-behaved contexts A|-],, A[A], refines A[B]p. 


Critical to the former problems is the fact that the state decoration function precisely 
captures those states in a local state machine that are reachable in some CSM execution, 
under some assumptions on the context: a state is reachable if and only if its decoration 
set is non-empty. This allows the conditions in C4 and C$ to precisely characterize the 
reachable local states. 

The second problem generalizes the subset projection to an arbitrary state machine 
B, and asks whether a candidate state machine A (the subtype) refines B (the supertype) 
in any well-behaved context. Unfortunately, we cannot simply decorate the subtype with 
the supertype’s states, because not all states in the supertype are reachable. Instead, we 
need to restrict the set of states in the supertype to those that themselves have non-empty 
decoration sets with respect to G. 

In the remainder of this section, let p € P be a role, let B = (QB, Xp, to, ôB, FB) 
denote the supertype state machine for p, and let A = (QA, Xp, 80, 64, Fa) denote the 
subtype state machine for p. We modify our state decoration function in Definition [4.6] 
to map states of A to subsets of states in B that themselves have non-empty decoration 
sets with respect to G. 


196 E. Li, F. Stutz, and T. Wies 


Definition 5.11 (State decoration with respect to a supertype). Let G be a global 
type. Let p € P be a role, and let further B = (QB, Xp, to, ôB, Fg) and A = 
(Qa, Xp, S0, ÔA, Fa) be two deterministic finite state machines for p. We define a total 
function dg.p.a : Q! > 22 that maps each state in A to a subset of states in B such 
that: 


de,B,a (s) = {t E QB | Ju € Xp“. So 2 sE 64 A to “y* te dp A d(t) #0} 


We again omit the subscripts G and A when clear from context, but retain the subscript 
B to distinguish dg from d in Definition|4.6] 

We likewise require a generalization of tr-orig and tr-dest to be defined in terms 
of B, instead of the projection by erasure automaton for p. 


Definition 5.12 (Transition origin and destination with respect to a supertype). Let 
G be a global type, and let B = (QB, Xp, to, OB, Fp) be a state machine. For x € Xp 
and s,s’ C Qp, we define the set of transition origins tr-orig(s  s’) and transition 
destinations tr-dest(s “> s’) as follows: 


tr-origg(s > s’):= {t € s | W € s.t 5* t € dp} and 


tr-destg(s  s'):= {t es’ | It € s.t 5* t côp}. 


We present C% in terms of the newly defined decoration function dg. 


Definition 5.13 (C2). Let G be a global type, p € P be a role, and let further 
B = (QB, Xp, to, dB, Fg) and A = (Qa, Xp, 50,54, Fa) be two deterministic state 
machines for p. Ca is the conjunction of the following conditions: 


— Send Decoration Subtype Validity: every send transition s & s’ € 5,4 must be 


enabled in all states of B decorating s: 


ya Se g € 6,4. tr-origg(dpg(s) eam, dp(s’)) = dp(s). 


— Receive Decoration Subtype Validity: no receive transition is enabled in an alter- 


native continuation originating from the same state: 
paq? Mı 
Vs 


> s1, 5 Š s2 € ÔA. T piqy?_ => 
VGe U {d(t)|t € tr-destg(dp(s) > dg(s2))}. qi>p!mi ¢ Mie.) 
tEdpg (s2) 
— Send Subtype Preservation: every state decorated by a send-originating global 
state must have at least one outgoing send transition: 


VseQa.( U d(t)NQa: 49) => Are Spy, 8’ E QA. s S 8' € bg. 
tedp(s) 


— Receive Subtype Exhaustivity: every receive transition that is enabled in some 
global state decorating s must be an outgoing transition from s: 
Ys e Qa.VG >*G’e5.Ge U dt) = Is € Q4. s 5 s' € ða. 
t€dp(s) 


— Final State Validity: a reachable state is final if its decorating set contains a final 
global state: 


Vse Qa. U dt) 40 = ( U dt)nFo #0) = seFy. 
t€dp(s) tEdg(s) 
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We want to show the following equivalence to prove Theorem|5.4 


C2 = for all well-behaved contexts A[-],, A[A], refines A[B]p. 


Lemma 5.14 (Soundness of C2). If C2 holds, then for all well-behaved contexts A[:|p, 
A[A]p refines A[B]p. 


Predictably, the proof of soundness is directly adapted from the proof for C4 by 
applying suitable “liftings”, and can be found in the extended version (37). 


Lemma 5.15 (Completeness of C2). If for all well-behaved contexts A|-|p, A[A]p re- 
fines A[B]p, then C2 holds. 


Again, we prove the modus tollens of this implication, and we again are required 
to find a witness well-behaved context A[-],, such that A[A], does not refine A[B], 
under the assumption of the negation of C2. In the special case where B is the subset 
construction automaton, we observed that any state in A with a non-empty decoration 
set with respect to G is reachable by the CSM consisting of A and the subset con- 
struction context, denoted @(G)[A],. We were therefore able to use @(G)|[-], as the 
witness well-behaved context. A similar characterization is true in the general case: 
a state in A is reachable by @(G)[A], if it has a non-empty decoration set with respect 
to B. This in turn depends on the fact that we only label states in A with states in B that 
themselves have non-empty decorating sets with respect to G. The following lemma 
lifts LemmaJ5.8]to the general problem setting: 


Lemma 5.16. Let A, B be two state machines for p, such that for all well-behaved 
contexts A|], A[B], refines G. Let s be a state in A, and let t be a state in B such 
that t € dp(s). Let u € X* be a word such that sọ =* s in A. Then, there exists a 
run a: G of GAut(G) such that split(trace(a-G))5 = u, split(trace(a-G)) 
is a trace in both € (G)[A], and @(G)|B], and in the CSM configuration reached on 
split(trace(a-G)), A is in state s. 


Proof. From the fact that t € dg(s) and the definition of state decoration (Defini- 
er it holds that d(t) A Ø and to “>* t € dg. Let G € d(t). We apply Lemma]5.8 
to obtain a run a - G such that split(trace(a-G))}y = u, split(trace(a-G)) is 
a trace in @(G)[B], and in the @(G)[B], configuration reached on split(trace(a- 
G)), B is in state t. Because so eg ‘A, and all non-p state machines are identical 
from @(G)[B], to € (G)[A]p, it is clear that split(trace(a - G)) is also a trace of 
@(G)[A], and in the CSM configuration reached on split(trace(a- G)), A is in 
state s. 


Having found our witness well-behaved context @(G)|-],, established Lemma5.16| 
to replace LemmaJ5.8] and observed that the violation of each condition in C2 likewise 
yields a state with a non-empty decoration set with respect to B, completeness then 
amounts to showing the existence of a w E€ Yjgyn- Such that w refutes subprotocol fi- 
delity, language inclusion, or deadlock freedom. Recall that the proofs for the necessity 


of Send Preservation, Receive Exhaustivity and Final State Validity in the case where 
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B is the subset construction constructed a trace that refuted either subprotocol fidelity 
or deadlock freedom. These two properties are identical across both formulations of 
the problem, and therefore the construction can be wholly reused to show the necessity 
of Send Subtype Preservation, Receive Subtype Exhaustivity and Final State Subtype 
Validity. 


Lemma 5.17. If A[A], violates Send Decoration Subtype Validity or Receive Deco- 
ration Subtype Validity, then it does not hold that for all well-behaved contexts A|-|p, 
A[A], refines A|B]p. 


The proofs for the necessity of Send Decoration Validity and Receive Decoration 
Validity, on the other hand, construct a word that is a trace in A[A], but not a trace in 
@(G)|[A],. In the general case, we can show that the same construction is a trace in 
A[A], but not a trace in A[B],. We omit the proofs to avoid redundancy. 


Lemma 5.18. If {Ap }pep violates Send Subtype Preservation, Receive Subtype Ex- 
haustivity, or Final State Subtype Validity, then it does not hold that for all well- 
behaved contexts A|-|p, A[A]p refines A[B]p. 


6 Complexity Analysis 


We complete our discussion with a complexity analysis of the two considered problems, 
building on the characterizations established in Theorem|4.1]and Theorem|5.4 

For the Protocol Verification problem, let m be the size of A and n the size of G. 
Moreover, let A, be the local implementation of some role p in A. Observe that the 
sets da(s) for each state s of A, as well as the sets MPa, _) for each subterm G” of G 
are at most of size n. It is then easy to see that C4 can be checked in time polynomial 
in n and m, provided that the sets de (s) and M (a...) are also computable in polyno- 
mial time. 

To see this for the sets Migr...» 
of a recursion variable in G at most once. So the traversal takes time O(n”). For each 
traversed event p— q: m in G, we need to perform a constant number of lookup, inser- 
tion, and deletion operations on a set of size at most n, which takes time O(log n). The 
time for computing Migr... is thus in O(n? log n). 

Similarly, observe that the function dg can be computed for the local implemen- 
tation of each role A, € P using a simple fixpoint loop. Each set dg(s) can be rep- 
resented as a bit vector of size n, making all set operations constant time. The loop 
inserts at most n subterms of G into each dea (s), which takes time O(mm) for all inser- 
tions. Moreover, for each G inserted into a set da(s) and each transition s Z s'in Ap, 
we need to compute the set {G’ | G +* G’ € 6,} which is then added to da(s”). 
Computing these sets takes time O(mmn) for each G and s. 

Following analogous reasoning, we can also establish that C2 is checkable in poly- 
nomial time. 


observe that the definition expands each occurrence 


Theorem 6.1. The Protocol Verification and Protocol Refinement problems are decid- 
able in polynomial time. 
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7 Related Work 


Session types were first introduced in binary form by Honda in 1993 (29}. Binary ses- 
sion types describe interactions between two participants, and communication safety of 
binary sessions amounts to channel duality. Binary session types were generalized to 
multiparty session types — describing interactions between more than two participants 
— by Honda, Yoshida and Carbone in 2008 Bil, and the corresponding notion of safety 
was generalized from duality to multiparty consistency. Binary session types were in- 
spired by and enjoy a close connection to linear logic (1 1][28}/50). Horne generalizes 
this connection to multiparty session types and non-commutative extensions of linear 
a The connection between multiparty session types and logic is also explored 
in [10 1213]. MSTs have since been extensively studied and widely adopted in practi- 
cal programming languages; we refer the reader to for a comprehensive survey. 


Session type syntax. Session type frameworks have enjoyed various extensions since 
their inception. In particular, the choice operator for both global and local types has 
received considerable attention over the years. MSTs were originally introduced as 
global types, with a directed choice operator that restricted a sender to sending differ- 
ent messages to the same recipient. and relax this restriction to sender-driven 
choice, which allows a sender to send different messages to different recipients, and 
increases the expressivity of global types. Our paper targets global types with sender- 
driven choice. For local types, a direct comparison can be drawn to the z-calculus, for 
which mixed choice was shown to be strictly more expressive than separate choice (43). 
Mixed choices allow both send and receive actions, whereas separate choices consist 
purely of either sends or receives. [38] showed that any global type with sender-driven 
choice can be implemented by a CSM with only separate choice. Mixed choice for 
binary local types was investigated in (14), although later showed that this vari- 
ant falls short of the full expressive power of mixed choice z-calculus, and instead 
can only express separate choice 7-calculus. Other communication primitives have also 
been studied, such as channel delegation (17|(30][3 1}, dependent predicates (48]|49}, 
parametrization and data refinement (51). 


Session type semantics. MSTs were introduced pa with a process algebra seman- 
tics. The connection to CSMs was established in [21], which defines a class of CSMs 
whose state machines can be represented as local types, called Communicating Ses- 
sion Automata (CSA). CSAs inherit from the local types they represent restrictions on 
choice discussed above, “tree-like”’ restrictions on the structure (see for a charac- 
terization), and restrictions on outgoing transitions from final states. The CSM imple- 
mentation model in our work assumes none of the above restrictions, and is thus true to 
its name. 


Session subtyping. Session subtyping was first introduced by in the context of the 
m-calculus, which was in turn inspired by Pierce and Sangiorgi’s work on subtyping 
for channel endpoints (45). The session types literature distinguishes between two no- 
tions of subtyping based on the network assumptions of the framework: synchronous 
and asynchronous subtyping. Both notions respect Liskov and Wing’s substitution prin- 
ciple (39), but differ in the guarantees provided. We discuss each in turn. 
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Synchronous subtyping follows the notions of covariance and contravariance intro- 
duced by (25), and checks that a subtype contains fewer sends and more receives than 
its supertype. For binary synchronous session types, Lange and Yoshida show that 
subtyping can be decided in quadratic time via model checking of a characteristic for- 
mulae in the modal ju-calculus. For multiparty synchronous session types, Ghilezan et 
al. present a precise subtyping relation that is universally quantified over all con- 
texts, and restricts the local type syntax to directed choice. As mentioned in (26}, 
their subtyping relation is incomplete when generalized to asynchronous multiparty 
sessions with directed choice. As discussed in their subtyping relation is further 
incomplete when generalized to asynchronous multiparty sessions with mixed choice, 
due to the “peculiarity [...] that, apart from a pair of inactive session types, only in- 
puts and outputs from/to a same participant can be related” (26}. The complexity of the 
subtyping relation in is not mentioned. 

Unlike subtyping relations for synchronous sessions which preserve language in- 
clusion, subtyping relations for asynchronous sessions instead focus on deadlock-free 
optimizations that permute roles’ local order of send and receive actions, also called 
asynchronous message reordering, or AMR (20}. First proposed for binary sessions by 
Mostrous and Yoshida (41], and for multiparty sessions by Mostrous et al. [42], this 
notion of subtyping does not satisfy subprotocol fidelity in general; indeed, in some 
cases, the set of behaviors recognized by a supertype is entirely disjoint from that of its 
subtype [5]. Asynchronous subtyping was shown to be undecidable for both binary and 
multiparty session types [635]. Existing works are thus either restricted to binary pro- 
tocols [1/56/35], prohibit non-deterministic choice involving multiple receivers [7127], 
or make strong fairness assumptions on the network (7). 

The connection between session subtyping and behavioral contract refinement has 
been studied only in the context of binary session types, and is thus out of scope of our 
work. We refer the reader to for a survey. 
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Abstract. We build on a fine-grained analysis of session-based interaction 
as provided by the linear logic typing disciplines to introduce the SAM, an 
abstract machine for mechanically executing session-typed processes. A re- 
markable feature of the SAM’s design is its ability to naturally segregate and 
coordinate sequential with concurrent session behaviours. In particular, implic- 
itly sequential parts of session programs may be efficiently executed by deter- 
ministic sequential application of SAM transitions, amenable to compilation, 
and without concurrent synchronisation mechanisms. We provide an intuitive 
discussion of the SAM structure and its underlying design, and state and prove 
its correctness for executing programs in a session calculus corresponding to 
full classical linear logic CLL. We also discuss extensions and applications of 
the SAM to the execution of linear and session-based programming languages. 


Keywords: Abstract machine - Session Types - Linear Logic 


1 Introduction 


In this work, we build on the linear logic based foundation for session types 
to construct SAM, an abstract machine specially designed for executing 
session processes typed by (classical) linear logic CLL. Although motivated by 
the session type discipline, which originally emerged in the realm of concurrency 
and distribution [34], a basic motivation for designing the SAM was 
to provide an efficient deterministic execution model for the implicitly sequential 
session-typed program idioms that often proliferate in concurrent session-based 
programming. It is well-known that in a world of fine-grained concurrency, build- 
ing on many process-based encodings of concepts such as (abstract) data types, 
functions, continuations, and effects [54], large parts of 
the code turn out to be inherently sequential, further justifying the foundational 
and practical relevance of our results. A remarkable feature of the SAM’s de- 
sign is therefore its potential to efficiently coordinate sequential with full-fledged 
concurrent behaviours in session-based programming. 

Leveraging early work relating linear logic with the semantics of linear and 
concurrent computation (6 [2], the proposition-as-types (PaT) interpreta- 
tion of linear logic proofs as a form of well-behaved session-typed nominal 
calculus has motivated many developments since its inception [67]. We 
believe that, much how the A-calculus is deemed a canonical typed model for 
functional (sequential) computation with pure values, the session calculus can 
be accepted as a fairly canonical typed model for stateful concurrent compu- 
tation with linear resources, well-rooted in the trunk of “classical” Type The- 
© The Author(s) 2024 
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ory. The PaT interpretation of session processes also establishes a bridge be- 
tween more classical theories of computation and process algebra via logic. It 
also reinstates Robin Milner’s view of computation as interaction [48], “data-as- 
processes” and “functions-as-processes” (47), now in the setting of a tightly 
typed world, based on linear logic, where types may statically ensure key prop- 
erties like deadlock-freedom, termination, and correct resource usage in stateful 
programs. Session calculi are motivating novel programming language design, 
bringing up new insights on typeful programming with linear and behavioral 
types, e.g., (24} [61] 20] [5]. Most systems of typed session calculi have been formu- 
lated in process algebraic form [33] [28], or on top of concurrent A-calculi with 
an extra layer of communication channels (e.g., ), logically inspired systems 
such as the those discussed in this paper (e.g., (61)) 
are defined by a logical proof / type system where proof rules are seen as wit- 
nesses for the typing of process terms, proofs are read as processes, structural 
equivalence is proof conversion and computation corresponds to cut reduction. 
These formulations provide a fundamental semantic foundation to study the 
model’s expressiveness and meta-theory, but of course do not directly support 
the concrete implementation of programming languages based on them. 


Although several programming language implementations of nominal calculi 
based languages have been proposed for some time (e.g. [57]), with some in- 
troducing abstract machines as the underlying technology (e.g., [46]), we 
are not aware of any prior design proposal for an abstract machine for reduc- 
ing session processes exploiting deep properties of a source session calculus, 
as e.g., the CAM the LAM (41], or the KM [40], which also explore the 
Curry-Howard correspondences, may reclaim to be, respectively for call-by-value 
cartesian-closed structures, linear logic, and the call-by-name -calculus. 


The SAM reduction strategy explores a form of “asynchronous” interaction 
that essentially expresses that, for processes typed by the logical discipline, ses- 
sions are always pairwise causally independent, in the sense that immediate com- 
munication on some session is never blocked by communication on a different 
session. This property is captured syntactically by prefix commutation equations, 
valid commuting conversions in the underlying logic: adding equations for such 
laws explicitly to process structural congruence keeps observational equivalence 
of CLL processes untouched [53]. Combined with insights related to focalisation 
and polarisation in linear logic [44], we realize that all communication in 
any session may be operationally structured as the exchange of bundles of posi- 
tive actions from sender to receiver, where the roles sender /receiver flip whenever 
the session type swaps polarity. Communication may then be mediated by mes- 
sage buffers, first filled up by the sender (“write-biased” scheduling), and at a 
later time emptied by the receiver. Building on these observations and on key 
properties of linear logic proofs leveraged in well-known purely structural proofs 
of progress (13) [15] [61], we identify a sequential and deterministic reduction strat- 
egy for CLL typed processes, based on a form of co-routining where continuations 
are associated to session queues, and “context switching” occurs whenever polar- 
ity flips. That such strategy works at all, preserving all the required correctness 
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properties of the CLL language does not seem immediately obvious, given that 
each processes may sequentially perform multiple actions on many different ses- 
sions, meaning that multiple context switches must be interleaved. The bulk of 
our paper is then devoted to establishing all such properties in a precise tech- 
nical sense. We believe that the SAM may provide a principled foundation for 
safe execution environments for programming languages combining functional, 
imperative and concurrent idioms based on session and linear types, as witnessed 
in practice for Rust [87], (Linear) Haskell [B8], Move (9, and in research 
languages [24]. To further substantiate these views we have developed an 
implementation of the SAM, integrated in a language for realistic session-based 
shared-state programs (17). 

Outline and Contributions. In Section [2] we briefly review the session-typed 
calculus CLL, which exactly corresponds to (classical) Linear Logic with mix. In 
Section [3] we discuss the motivation and design principles of the core SAM, grad- 
ually presenting its structure for the language fragment corresponding to session 
types without the exponentials, which will be introduced later. Even if the core 
SAM structure and transition rules are fairly simple, the proofs of correctness 
are more technically involved, and require progressive build up. Therefore, we 
first bridge between CLL and SAM via a intermediate logical language CLLB, in- 
troducing explicit queues in cuts, presented in Section [4] We show preservation 
(Theorem|4.1} and progress (Theorem|4.2} for CLLB, and prove that there is two 
way simulation between CLLB and CLL via a strong operational correspondence 
(Theorem (4.3). Given this correspondence, in Section [5] we state and prove the 
adequacy of the SAM for executing CLL processes, showing soundness wrt. CLLB 
(Theorem [5.1) and CLL (Theorem 5.2), and progress / deadlock absence (Theo- 
rem|5.3). In Section [6|modularly extend the previous results to the exponentials 
and mix, and revise the core SAM by introducing explicit environments, stat- 
ing the associated adequacy results (Theorem and Theorem |6.2). We also 
discuss how to accommodate concurrency, and other extensions in the SAM. 
We conclude by a discussion of related work and additional remarks. Additional 
definitions and proofs can be found in the companion technical report (16). 


2 Background on CLL, the core language and type system 


We start by revisiting the language and type system of CLL, and its operational 
semantics. The system is based on a PaT interpretation of classical linear logic 


(we follow the presentations of [60)). 
Definition 2.1 (Types). Types A,B are defined by 
A,B:=1|L|ASB|A@B | Beer Ae | Deer Ae |!A |?A 


Types comprise of the units (1, L), multiplicatives (@, 8), additives (Srez Ae, 
&ecL Ae) and exponentials (!, ?). We adopt here a labeled version of the additives, 
where the linear logic sum type Apin B Ayinr is defined by Gees 4ini,#inr} Ac. The 
positive types are 1, ®, @, and !, while the negative types are L, 9, & and ?. 
We abbreviate A’ B by A — B. We write At (resp. AT) to assert that A is a 
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positive (resp. negative) type. Type duality A corresponds to negation: 


1=1 A®B=A93B Bret Åe = &ecL Ae 1A=?B 


Duality captures the symmetry of behaviour in binary process interaction, as 
manifest in the cut rule. 


Definition 2.2 (Processes). The syntax of processes P,Q is given by: 


P,Q :=0 | P || Q | fwd z y | cut {P |x:A] Q} | close x | wait z; P 
| case x {|#£ € L:Py} | #inr x; P | send x(y.P);Q | recv x(z);P 
| !a(y);P | ?x;P | cut! {y.P |!a: A| Q} | call z(2);Q 


Typing judgements have the form P+ A; T, where P is a process and the typing 
context A; T is dyadic [13]: both A and I assign types to names, the 
context A is handled linearly (no implicit contraction or weakening) while the 
exponential context I’ is unrestricted. The type system exactly corresponds, via a 
propositions-as-types correspondence, to the canonical proof system of Classical 
Linear Logic with Mix. When a cut type annotation is easily inferred, we may 
omit it and write cut {P |x| Q}. The typing rules of CLL are given in Fig. 

The process 0 denotes the inactive process, typed in the empty linear context 
(rule [T0]). P || Q denotes independent parallel composition of processes P and Q 
(rule [Tmix]), whereas cut {P |x:A| Q} denotes interfering parallel composition 
of P and Q, where P and Q share exactly one channel name x, typed as A 
in P and A in Q (rule [Tcut]). The construct fwd x y captures forwarding 
between dually typed names x and y (rule [Tfwd]), which operationally consists 
in (globally) renaming «x for y. 

Processes close x and wait xz; P denote session termination and the dual action 
of waiting for session termination, respectively (rules [T1] and [T1]). The con- 
structs case x {|#0 € L:Py} and #1 x; P denote label input and output, respec- 
tively, where the input construct pattern matches on the received label to select 
the process continuation that is to run. Process send a(y.P;); P2 and recv x(z);Q 
codify the output of (fresh) name y on channel x and the corresponding input 
action, where the received name will be substituted for z in Q (rules [T8] and 
[T’?]). Typing ensures that the names used in P; and P are disjoint. 

Processes !a(y); P, ?x; Q and call «(z); Q embody replicated servers and client 
processes. Process !a(y); P consists of a process that waits for inputs on x, spawn- 
ing a replica of P (depending on no linear sessions — rule [T!]). Process ?x; Q and 
call a(z);Q allow for replicated servers to be activated and subsequently used 
as (fresh) linear sessions (rules [T?] and [Tcall]). Composition of exponentials is 
achieved by the cut! {y.P |! : A| Q} process, where P cannot depend on linear 
sessions and so may be safely replicated. 

We call action any process that is either a forwarder or realizes an intro- 
duction rule, and denote by A the set of all actions, by A(x) the set of action 
with subject x (the subject of an action is the channel name in which it inter- 
acts [49]). An action is deemed positive (resp. negative) if its associated type 
is positive (resp. negative) in the sense of focusing. The set of positive (resp. 
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[TO] PEAST QEAT 
P\||QEALA TL 


OF OL [Tmix] 


— [Tfwd] PLA‘, e: A; T QHA: AT Teut] 
fwdey Fz:A,y: AD cut {P |x: Al Q} F ALAT 
i QF A; T Hi 
close æ F g : 1; I wait z; Q EAs ET. l 
PH A,x: A;r (all €€ L) re] QF A,x: Ag; #leEL ITa 
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Pi F Ai,y:A;P Pot 42,2: B; I iTe] 
send z(y.Pı); Po F Ai, 42,£ : AQ B; r 
QF A,z: A,x: BP 
[Ts] 
recv z(2); QF A,x: ASB TL 
Pry: AI FAT, xz: A 
min r?) 
la(y);P Fa tA ?x;Q F A,x :? ASD 
Ks LA. A FA,z:A;I,a2:A 
Pky: 4A: Q ATELA op ' Q z z [Teall] 


t! 
cut! {y.P |x: A| Q} F 4; r met call a(z);Q FA; Tyas A 
Fig. 1: Typing Rules of CLL. 


negative) actions is denoted by At (resp. A~). We sometimes use, e.g., A or 
At (x) to denote a process in the set. The CLL operational semantics is given by 
a structural congruence relation = that captures static identities on processes, 
corresponding to commuting conversions in the logic, and a reduction relation 
— that captures process interaction, and corresponds to cut-elimination steps. 


Definition 2.3 (P = Q). Structural congruence = is the least congruence on 
processes closed under a-conversion and the =-rules in Fig. 


The definition of = reflects expected static laws, along the lines of the structural 
congruences / conversions in [71]. The binary operators forwarder, cut, and 
mix are commutative. The set of processes modulo = is a commutative monoid 
with operation the parallel composition (— || —) and identity given by inaction 
0 ([par]). Any static constructs commute, as expressed by the laws [CM]-[C!sCl]. 
The unrestricted cut distributes over all the static constructs by law [C*], where 
— |x| — stands for either a mix, linear or unrestricted cut. The laws [C++] and 
[C+] denote sound proof equivalences in linear logic and bring explicit the in- 
dependence of linear actions (noted a(x)), in different sessions x [53]. These 
conversions are not required to obtain deadlock freedom. However, they are nec- 
essary for full cut elimination (e.g., see [71]), and expose more redexes, thus 
more non-determinism in the choice of possible reductions. Perhaps surprisingly, 
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fwd ay =fwdy a fwd] 
cut {P |x: A| Q} =cut {Q |x: A] P} com] 
P||0 =P PI|Q=QI|P PILQIR=PIQIR pat] 
cut {P |æ] (Q || R)} = (cut {P |e] Q}) || R CM] 
cut {P |æ] (cut {Q |y| R})} = cut {(cut {P |z| Q}) lul R} CC] 
cut {P |z| (cut! {y.Q |!a| R})} = cut! {y.Q |!2| (cut {P |z| R})} CCl] 
cut! {y.Q |z| (P || R)} = P || (cut! {y.@ |z| R}) cM] 
cut! {y.P |!a| (cut! {w.Q |!z| R})} = cut! {w.Q |!z| (cut! {y.P |!z| RP} [C!C 
cut! {y.P |!z| (Q |* | R)} = cut! {y.P |!x| Q} | «| cut! {y.P |!x| R} Cl*] 
a(x);Q |*| R =a(x);(Q|*| R) C+*] 
ai(x);a2(y);P = az2(y); a1 (x); P Ci] 


Provisos: in [CM] x € fn(Q); in [CC] z, y € fn(Q); in [CC!], [C!M] x ¢ fn(P); in [CIC], 
x ¢ fn(Q) and z ¢ fn(P). In [Ci], x # y and bn(aı(x)) N bn(a2(y)) = 0 


Fig. 2: Structural congruence P = Q. 


cut {fwd x y |y| P} > {x/y}P fwd] 
cut {close x |x| wait x; P} > P 11] 
cut {send z(y.P); Q |x| recv (2); R} > Q |x| (P [y| {y/z}R) 87] 
cut {case x {|#€ € L: Pye} |x| #1 x; R} > cut {Pa |x| R} & Oi] 
cut {la(y);P |x| ?2;Q} > cut! {y.P |!z| Q} !?] 
cut! {y.P |!a| call e(z); Q} > cut {{z/y}P |z| (cut! {y.P |!x| Q})} [call] 


Fig. 3: Reduction P > Q. 


this extra flexibility is important to allow the deterministic sequential evaluation 
strategy for CLL programs adopted by the SAM to be expressed. 


Definition 2.4 (Reduction —). Reduction — is defined by the rules of Fig.[3 


We denote by = the reflexive-transitive closure of —. Reduction includes 
the set of principal cut conversions, i.e. the redexes for each pair of interacting 
constructs. It is closed by structural congruence ([=]), in rule [cong] we con- 
sider that C is a static context, i.e. a process context in which the single hole 
is covered only by the static constructs mix or cut. The forwarding behaviour 
is implemented by name substitution [fwd] [14]. All the other reductions act on 
a principal cut between two dual actions, and eliminate it on behalf of cuts in- 
volving their subprocesses. CLL satisfies basic safety properties listed below, 
and also confluence, and termination [61]. In particular we have: 
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Theorem 2.1 (Type Preservation). Let P+ A;r. (1) If P =Q, then QF 
A; T. (2) If P > Q, then QF A;r. 


A process P is live if and only if P = C[Q], for some static context C (the hole 
lies within the scope of static constructs mix and cut) and Q is an active process 
(a process with a topmost action prefix). 


Theorem 2.2 (Progress). Let PH Q;0 be live. Then P > Q for some Q. 


3 A Core Session Abstract Machine 


In this section we develop the key insights that guide the construction of our 
session abstract machine (SAM) and introduce its operational rules in an incre- 
mental fashion. We omit the linear logic exponentials for the sake of clarity of 
presentation, postponing their discussion for Section [6] 

One of the main observations that drives the design of the SAM is the nature 
of proof dynamics in (classical) linear logic, and thus of process execution dy- 
namics in the CLL system of Section [2| The proof dynamics of linear logic are de- 
rived from the computational content of the cut elimination proof, which defines 
a proof simplification strategy that removes (all) instances of the cut rule from 
a proof. However, the strategy induced by cut elimination is non-deterministic 
insofar as multiple simplification steps may apply to a given proof. Transposing 
this observation to CLL and other related systems, we observe that their opera- 
tional semantics is does not prescribe a rigid evaluation order for processes. For 
instance, in the process cut {P |x| Q}, reduction is allowed in both P and Q. 
This is of course in line with reduction in process calculi (e.g., [49]). However, 
in logical-based systems this amounts to don’t care non-determinism since, re- 
gardless of the evaluation order, confluence ensures that the same outcomes are 
produced (in opposition to don’t know non-determinism which breaks confluence 
and is thus disallowed in purely logical systems). The design of the SAM arises 
from attempting to fix a purely sequential reduction strategy for CLL processes, 
such that only one process is allowed to execute at any given point in time, in 
the style of coroutines. To construct such a strategy, we forego the use of purely 
synchronous communication channels, which require a handshake between two 
concurrently executing processes, and so consider session channels as a kind of 
buffered communication medium (this idea has been explored in the context of 
linear logic interpretations of sessions in |25|), or queue, where one process can 
asynchronously write messages so that another may, subsequently, read. To en- 
sure the correct directionality of communication, the queue has a write endpoint 
(on which a process may only write) and a read endpoint (along which only 
reads may be performed), such that at any given point in time a process can 
only hold one of two endpoints of a queue. Moreover, our design takes inspira- 
tion from insights related to polarisation and focusing in linear logic, grouping 
communication in sequences of positive (i.e. write) actions. 

Allowing session channels to buffer message sequences, we may then model 
process execution by alternating between writer processes (that inject messages 
into the respective queues) and corresponding reader processes. Thus, the SAM 
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S ::= (P, H) State 
H ::= SessionRef > SessionRec Heap 
R :=2(q,P)y Session Record 
q u=nil| Val@q Queue 
Val ::= v Close token 
| #l Choice label 
| clos(a, P) Process Closure 


Fig. 4: core SAM Components 


must maintain a heap that tracks the queue contents of each session (and its 
endpoints), as well as the suspended processes. The construction of the core of 
the SAM is given in Figure [4] An execution state is simply a pair consisting of 
the running process P and the heap H. For technical reasons that are made clear 
in Sections [4] and [5] the process language used in the SAM differs superficially 
from that of CLL, but for the purposes of this overview we will use CLL process 
syntax. Later we show the two languages are equivalent in a strong sense. 

A heap is a mapping between session identifiers and session records of the 
form x(q, Q)y, denoting a session with write endpoint x and read endpoint y, with 
queue contents q and a suspended process Q, holding one of the two endpoints. 
If Q holds the read endpoint then it is suspended waiting for the process holding 
the write endpoint to fill the queue with data for it to read. If Q holds the write 
endpoint, then Q has been suspended after filling the queue and is now waiting 
for the reader process on y to empty the queue. 

We adopt the convention of placing the write endpoint on the left and the 

read endpoint on the right. In general, session records in the SAM support a 
form of coroutines through their contained processes, which are called on and 
returned from multiple times over the course of the execution of the machine. A 
queue can either be empty (nil) or holding a sequence of values. A value is either 
a close session token (v), identifying the last output on a session; a choice label 
#l or a process closure clos(x, P), used to model session send and receive. We 
overload the @ notation to also denote concatenation of queues. 
Cut. We begin by considering how to execute a cut of the form cut {P |æ : 
At| Q} where x is a positive type (in the sense of polarized logic (30)) in P. A 
positive type corresponds to a type denoting an output (or write) action, whereas 
a negative type denotes an input (or read) action. We maintain the invariant 
that in such a cut, P holds the write endpoint and Q the read endpoint. This 
means that the next action performed by P on the session will be to push some 
value onto the queue and, dually, the next action performed by Q on the session 
will be to read a value from the queue. In general, the holder of the write and 
read endpoint can change throughout execution. 

Given the choice of either scheduling P or Q, we are effectively forced to 
schedule P before Q. Given that the cut introduces the (unique) session that 
is shared between the two processes, the only way for Q to exercise its read 
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capability on the session successfully is to wait for P to have exercised (at least 
some of) its write capability. If we were to schedule Q before P, the process 
might attempt to read a value from an empty queue, resulting in a stuck state 
of the SAM. Thus, the SAM execution rule for cut is: 


(cut {P |x: A*| Q}, H) = (P, H[x(nil, {y/x}Q)y])  [SCut] 


The rule states that P is the process that is to be scheduled, adding the session 
record z(nil, Q)y to the heap, which effectively suspends the execution of Q until 
P has exercised some of its write capabilities on the new session. Note that, in 
general, both P and Q can interact along many different sessions as both readers 
and writers before exercising any action on x (resp. y). However, they alone hold 
the freshly created endpoints x and y and so the next value sent along the session 
must come from P and Q is its intended receiver. 

Channel Output. To execute an output of the form send z(z.R); Q in the SAM 
we simply lookup the session record for x and add to the queue a process closure 
containing R (which interacts along z), continuing with the execution of Q: 


(send 2(z.R);Q, H[x(q, P)y]) > (Q, H|a(q@clos(z,R),P)y]) [58] 


Note that the SAM eagerly continues to execute Q instead of switching to P, 
the holder of the read endpoint of the queue. This allows for the running process 
to perform all available writes before a context switch occurs. 

Session Closure. Executing a close follows a similar spirit, but no continua- 
tion process exists and so execution switches to the process P holding the read 
endpoint y of the queue: 


(close x, H{a(q, P)y]) =| (P, H[x(q@v , 0)y]) [S1] 


The process P will eventually read the termination mark from the queue (trig- 
gering the deallocation of the session record from the heap): 


(wait y; P, H[a(v,0)y]) => (P, H) [SL] 


Note the requirement that V be the final element of the queue. 

Negative Action on Write Endpoint. As hinted above for the case of exe- 
cuting a cut, the SAM has a kind of write bias insofar as the process chosen to 
execute in a cut is that which holds the write endpoint for the newly created 
session. Since CLL processes use channels bidirectionally, the role of writer and 
reader on a channel (and thus the holder of the write and read endpoints of 
the queue) may be exchanged during execution. For instance, a process P may 
wish to send a value v to Q and then receive a response on the same channel. 
However, when considering a queue-based semantics, the execution of the input 
action must not obtain the value v, intended for Q. Care is therefore needed to 
ensure that v is received by the holder of the read endpoint of the queue before 
P is allowed to execute its input action (and so taking over the read endpoint). 
This notion is captured by the following rule, where A~ denotes any process 
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performing a negative polarity action (i.e., a wait, recv, case or, as we discuss 
later, a fwd z y when z is a write endpoint with a negative polarity type): 


(A (2), H[x(q, Q)y]) = (Q, H[a(q,A“(x))y]) [5-7] 


If the executing process is to perform a negative polarity action on a write 
endpoint x, the SAM context switches to Q, the holder of the read endpoint y of 
the session, and suspends the previously running process. This will now allow for 
Q to perform the appropriate inputs before execution of the action A~ resumes. 
Channel Input. The rules for recv actions are as follows: 


(recv y(w:+); Q, H[x(clos(z, R)@q, P)y]) = (Q, H[w(nil, R)z|[x(q)"y]) [89+] 
(recv y(w:—);Q, H[x(clos(z, R)@q, P)y]) = (R, H[2(nil, Q)w][x(q)"y]) [S2-] 


A 


where x(q)°y = if (q = nil) then y(q, Px else x(q, P)y. The execution of an 
input action requires the corresponding queue to contain a process closure, de- 
noting the process that interacts along the received channel w. In order to ensure 
that no inputs attempt to read from an empty queue, we must branch on the 
polarity of the communicated session (written w:+ and w:— in the rules above): 
if the session has a positive type, then Q must take the write endpoint w of the 
newly generated queue (since Q uses the session with a dual type) and thus we 
execute Q and allocate a session record in the heap for the new session, with read 
endpoint z; if the exchanged session has a negative type, the converse holds and 
Q must take the read endpoint of the newly generated queue. In this scenario, 
we must execute R so that it may exercise its write capability on the queue and 
suspend Q in the new session record. 

In either case, the session record for the original session is updated by re- 
moving the received message from the queue. Crucially, since processes are well- 
typed, if the resulting queue is empty then it must be the case that Q has 
no more reads to perform on the session, and so we swap the read and write 
endpoints of the session. This swap serves two purposes: first, it enables Q to 
perform writes if needed; secondly, and more subtly, it allows for the process, 
say, P, that holds the other endpoint of the queue to be resumed to perform 
its actions accordingly. To see how this is the case, consider that such a process 
will be suspended (due to rule [S—]) attempting to perform a negative action on 
the write endpoint of the queue. After the swap, the endpoint of the suspended 
process now matches its intended action. Since Q now holds the write endpoint, 
it will perform some number of positive actions on the session which end either 
in a close, which context switches to P, or until it attempts to perform a negative 
action on the write endpoint, triggering rule [S—] and so context switching to P. 
Choice and Selection. The treatment of the additive constructs in the SAM 
is straightforward: 


(#1 2; Q, H[x(q, Phyl) = (Q, H[a(q@#l, P)yl) [Se] 
(case y {#2 € L:Qe}, H[x(#1@q, P)y]) = (Qy, A[x(q)'y]) [S8] 


Sending a label #l simply adds the #l to the corresponding queue and proceeds 
with the execution, whereas executing a case reads a label from the queue and 
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continues execution of the appropriate branch. Since removing the label may 
empty the queue, we perform the same adjustment as in rules [>94] and [S’?_]. 
Forwarding. Finally, let us consider the execution of a forwarder (we overload 
the @ notation to also denote concatenation of queues): 


(fwd £7 yt, Hl2(q1,Q)2lly(g2, P)w]) E (P,Hlz(q@2@q,Q)w]) — [Stwd] 


A forwarder denotes the merging of two sessions x and y. Since the forwarder 
holds the read and write endpoints x and y, respectively, Q has written (through 
z) the contents of qı, whereas the previous steps of the currently running process 
have written q2. Thus, P is waiting to read q2@qy, justifying the rule above. 
The reader may then wonder about other possible configurations of the SAM 
heap and how they interact with the forwarder. Specifically, what happens if y is 
of a positive type but a read endpoint of a queue, or, dually, if x is of a negative 
type but a write endpoint. The former case is ruled out by the SAM since the 
heap satisfies the invariant that any session record of the form x:A(q, P)y:A € H 
is such that A must be of negative polarity or P is the inert process (which cannot 
be forwarded). The latter case is possible and is handled by rule [S—], since such 
a forward fwd x7 y* stands for a process that wants to perform a negative 
polarity action on a write endpoint (or a positive action on a read endpoint). 


3.1 On the Write-Bias of the SAM 


Consider the following CLL process: 
PA cut {P; |a:1@1| {a/b}Qi} 


P, = send a(y. P2); P> Qi Ê recv b(x); Qa 

P £ close y Qe = wait z; Q3 

P; £ close a Q £ wait b; 0 
Let us walk through the execution trace of P: 
(1) (P,0) = by [SCut 
(2) (Pi, a(nil, Q1)b) = by [S@ 
(3) (P,a (clos(y, Po), Q1)b) => by [S1 
(4) (Qi, a(clos(y, P2)@v,0)b) => by [Se_ 
(5) (Po, y(nil, Q2)a, alv, 0)b) = by [S1 
(6) (Q2, y(x, 0), a(x, 0)b) E> by [SL 
(7) (Q3,a(v, 0)b) => by [SL 
(8) (0,0) 


The SAM begins in the state on line (1) above, executing the cut. Since the 
type of a is positive, we execute Pı, and allocate the session record, suspending 
Qı, resulting in the state on line (2). Since P; is a write action on a write 
endpoint, we proceed via the [S@] rule, resulting in the SAM configuration in 
line (3), executing P and adding a closure containing P> to the session queue 
with write endpoint a. Executing P3 (3), a close action, requires adding the V 
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to the queue and context switching to the process Q1, now ready to receive the 
sent value. The applicable rule is now (4) [S’9_], and so execution will context 
switch to P> after creating the session record for the new session with endpoints 
y and x. P> will execute and the machine ends up in state (6) followed by (7), 
which consume the appropriate v and deallocate the session records. 

Note how after executing the send action of Pı we eagerly execute the positive 
action in P; rather than context switching to Qı. While in this particular process 
it would have been safe to execute the negative action in Q1, switch to P> and 
then back to Q2, we would now need to somehow context switch to P before 
continuing with the execution of Q3, or execution would be stuck. However, the 
relationship between P; and Qə is unclear at best. Moreover, if the continuation 
of Qı were of the form wait b; wait x; 0, the context switch after the execution of 
P> would have to execute P3, or the machine would also be in a stuck state. 


3.2 Illustrating Forwarding 


To better illustrate the way in which fwd x7 y* effectively stands for a negative 
action, consider the following CLL process (to simplify the execution trace we 
assume the existence of output and input of integers typed as int@ A and int9 A, 
respectively, eliding the need for process closures in this example): 


P £ cut {P; |b: inte inte 1| {b/c}cut {Q, la : int Q int’? 1| {a/d}Ri}} 


P, £ recy b(x); Po Qi Ê send a(1); Q2 R, Ê recy d(y); Re 
Pz £ recy b(z); Ps Q2 = send c(3); Q3 Rə £ send d(2); Rs 
P £ close b Q3 £ fwdac R3 Ê wait d;0 


If we consider the execution of P we observe: 


(1) (P,0) = by [SCut 
(2) (cut {Qi la| {a/d}R1}, c(nil, Pr)b) => by [SCut 
(3) (Q1, a(nil, R1)d, c(nil, P1)b) => by [S@ 
(4) (Qe, a(1, Ri)d, c(nil, Pab) => by [S8 
(5) (fwd a c,a(1, R1)d, c(3, Pr)b) & by [S— 
(6) (Ri, a(1, Qs)d, c(3, P1)b) & by [92 
(7) (Re, d(nil, Q3)a, (3, P1)b) => by [S@ 
(8) (Rs, d(2, Qa)a, c(3, P1)b) & by [S— 
(9) (fwd a c, d(2, R3)a, c(3, Pi)b) & by [Sfwd 
(10) (Pi, d(3@2, R3)b) => by [P9 
(11) (Pe, b(2, R3)d) => by [PF 
(12) (P3, b(nil, R3)d) => by [S1 
(13) (Rg, b(V, R3)d) & by [SL 
(14) (0,0) 


The first four steps of the execution of P allocate the two session records and 
the writes by Qı and Qə takes place. We are now in configuration (5), where 
Q3 = fwd a~ ct is to execute and a is a write endpoint of a queue assigned a 
negative type (int’? 1). This forwarder stands for a process performing a negative 
action on a write endpoint (i.e., P) and so context switching is required, rule 
[S—] applies and the SAM context switches to R,, suspending Q3 until the 
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forward can be performed. After R; receives (6) and the queue endpoints a and 
d are swapped (7), R2 executes and then rule [S—] applies (8), context switching 
back to Q3. Since the queue endpoints are now flipped, rule [Sfwd] now applies 
(9), collapsing the two session records (via queue concatenation) and proceeding 
with the execution of P,, P2, P3; and Ra (10-14). Note the correct ordering in 
which the sent values are dequeued, where 3 is read before 2, as intended. 
Discussion. The core execution rules for the SAM are summarized in Figure [] 
At this point, the reader may wonder just how reasonable the SAM’s evaluation 
strategy is. Our evaluation strategy is devised to be a deterministic, sequential 
strategy, where exactly one process is executing at any given point in time, 
supported by a queue-based buffer structure for channels and a heap for session 
records. Moreover, taking inspiration from focusing and polarized logic, we adopt 
a write-biased stance and prioritize (bundles of) write actions over reads, where 
suspended processes hold the read endpoint of queues while waiting for the writer 
process to fill the queue, and hold write endpoints of queues after filling them, 
waiting for the reader process to empty the queue. 

While this latter point seems like a reasonable way to ensure that inputs 
never get stuck, it is not immediately obvious that the strategy is sound wrt the 
more standard (asynchronous) semantics of CLL and related languages, given 
that processes are free to act on multiple sessions. Thus, the write-bias of the 
cut rule (and the overall SAM) does not necessarily mean that the process that 
is chosen to execute will immediately perform a write action on the freshly 
cut session x. In general, such a process may perform multiple write or read 
actions on many other sessions before performing the write on x, meaning that 
multiple context switches may occur. Given this, it is not obvious that this 
strategy is adequate insofar as preserving the correctness properties of CLL in 
terms of soundness, progress and type preservation. The remainder of this paper 
is devoted to establishing this correspondence in a precise technical sense. 


4 CLLB: A Buffered Formulation of CLL 


There is a substantial gap between the language CLL, presented in an abstract al- 
gebraic style, and its operational semantics, defined by equational and rewriting 
systems, and an abstract machine as the SAM, a deterministic state machine ma- 
nipulating several low level structures. Therefore, even if the core SAM structure 
and transition rules are fairly simple, proving its correctness is more challenging 
and technically involved, and require progressive build up. Therefore, we first 
bridge between CLL and SAM via a intermediate logical language CLLB, which 
extends CLL with a buffered cut construct. 


cut {P |a: A jq] b: B| Q} 


The buffered cut construct models interaction via a “message queue” with two 
polarised endpoints a and b, held respectively by the processes P and Q. A 
polarised endpoint has the form x or x. The endpoint marked Z is the only 
allowing writes, the unmarked y is the only one allowing reads, exactly one of 
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(cut {P |x: A*| Q}, H) = (P, H[2(nil, {y/2}Q)y]) SCut] 
(fwd x y, H[z{q1, Q)z][y (42, P)w]) = (P, H[z(420q1, Q)w)) Sfwd] 
(close x, H[x(q, P)y]) © (P, H[x(q@v, 0)y]) S1] 
(wait y; P, H[x(v, 0)y])  (P, H) SL 
(4 (x), H[x(q, Q)y]) = (Q, H[e(q, A~ (x))y)) S— 
(send z(2.R); Q, H[x(q, P)y]) = (Q, H[x(q@clos(z, R), P)y]) S8 
(recv y(w : +); Q, H[x(clos(z, R)@q, P)y]) = (Q, H[w(nil, R)z][x(q)*y]) [Se 
(recv . —); Q, H[a(clos(z, R)@q, P)yl) = (R, Alz(nil, Q)w][x(q)"y]) [Se 
(#l z; ikea, Ph) = (Q, H|x(q@#l, P)y)) S® 
(case y n € L:Qe}, H[x(#1@q, P)y]) = (Qg Hle(g)*y]) S& 


N.B. : x(q)*y £ if (q = nil) then y(q, P)a else x(q, P)y 


Fig. 5: The core SAM Transition Rules 


the two endpoints is marked. The endpoints types A, B are of course related but 
do not need to be exact duals, the type of the writer endpoint may be advanced 
in time wrt the type of the reader endpoint, reflecting the messages already 
enqueued but not yet consumed. If the queue is empty, we have A = B. Thus a 
buffered cut with empty queue corresponds to the basic cut of CLL. 


cut {P |x: A| Q} =cut {P |Z: A [nil] y: A| {y/z}Q} (A+) 
The queue q stores values V defined by 


V =v (Close token) | #l (Selection Label) 
| clos(x, P) (Linear Closure) | clos!(x, P) (Exponential Closure) 


q ::= nil | V | V@q (Queue) 


We use @ to also denote (associative) concatenation operation of queues, with 
unit nil. Enqueue and dequeue operations occur respectively on the lhs and rhs. 
The type system CLLB is obtained from CLL by replacing [TCut] with the 
typing rules (and symmetric ones) in Fig. [6] We distinguish the type judgements 
as P + 4A;I for CLL and P H 4A; rI for CLLB. The [TCutB] rule sets the 
endpoints mode based in the cut type polarity, applicable whenever the queue 
is empty. The remaining rules relate queue contents with their corresponding 
(positive action) processes. For instance, rule [Tcut-®] can be read bottom-up 
as stating that typing processes mediated by a queue containing a process closure 
clos(y, R) amounts to typing the process that will emit the session y (bound to 
R), interacting with the queue with the closure removed. Rules [Tcut-@] and 
[Tcut!] apply a similar principle to the other possible queue contents. In [Tcut- 
1] and [Tcut!] the write endpoint is typed @, as the sender has terminated (0). 
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PH Ae: ASP QH Ay: AT 
cut {P |x: A [nil] 7: A| Q} FB ALAS 


(A positive) [TcutB] 


cut {close æ |Z : 1 [q] y : B| Q} FP 4A; r 
cut {0 |T : O[¢@V Jy: B| Q} FE A;r 


[Tcut-1] 


cut {send z(y.R); P |e: TQA [q] y : B| Q} FP 4; r 
cut {P |%: A [q@clos(y, R)] y : B| Q} FP 4; r 


[Tcut-8)] 


cut {#l z; P |T : eer Ae lq] y : B| Q} FP A;r i 
cut {P |T : Ay [q@#l] y : B| Q} FP 4; r 


Tcut-9] 


cut {!a(z);P |T :!A Jq] y: B| Q} FP ASD 


2); [Tcut!] 
cut {0 |T : Ø [q@clos!(z, P)] y : B| Q} FE AST 


Fig. 6: Additional typing rules for CLLB. 


cut {Q |a : Alg]b: B| P} = cut {Q |b: Blgla: A| P} comm] 
cut {P |ælaly| (Q || R)} =” (cut {P |x[a]y| Q}) || R CM] 
P |z[q]z| (cut {Q |y[p]w| R}) =? cut {(cut {P |2[q]z| Q}) |ylplw| R} CC] 
cut {P |z[q}w| (cut! {y.Q |!a| R})} =" cut! {y.Q |!a| (cut {P |z[q]w| R})} [CC] 


cut! {y.P |!a| (cut {Q |z[q]w| RH} = 
cut {(y.P |!x| Q) |z[g]w| (cut! {y.P |!a| R}}) D-C!] 


Fig. 7: Additional structural congruence rules for CLLB. 


Structural congruence for B (noted =) is obtained by extending = with 
commutative conversions for the buffered cut, listed in Fig. |7| The following 
provisos apply: [CM] y € fn(Q); in [CC] y,z € fn(Q); in [CC!] x ¢ fn(P). 
Accordingly, reduction for B (noted +8) is obtained by replacing the — rules 
[fwd], [1L], [99] and [@&] by the rules in Fig. |8| Essentially each principal 
cut reduction rule of CLL is replaced by a pair of “positive” (—>p) / “negative” 
(+n) reduction rules that allow processes to interact asynchronously via the 
queue, that is, positive process actions (corresponding to positive types) are non- 
blocking. For example, the rule [] for send appends a session closure to the tail of 
the queue (rhs) and the rule for receive pops a session closure from the head of the 
queue (lhs). Notice that positive rules are enabled only if the relevant endpoint 
is in write mode (Z), and negative rules are enabled only if the relevant endpoint 
is in read mode (y). In [fẹ] above the target cuts endpoint polarities depends 
on the types of the composed processes. To uniformly express the appropriate 
marking of endpoint polarities we define some convenient abbreviations: 
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cut {Q |Z [q1] z| fwd x y |p [q2] w| P} >° cut {Q |Z [q2@qi] w| P} fwdp] 
cut {close x |Z [q] y| Q} >? cut {0 |% [q@v] y| Q} 1] 
cut {0 |z [V] y| wait y; P} >° P a 


cut {send a(z.P);Q |Z [q] y| R} =>” cut {Q |T [q@clos(z, P)]| y| R} ® 


cut {Q |Z [clos(z, P)@q] y| recv y(w); R} =>” 
cut {Q |z [q] y| cut {P |z [nil] w| R}P}P 


3 
cut {#1 x; P |T [q] y| R} >” cut {Q |E [g@#l]] y| R} ® 
cut {Q |E [I@q] y| case y {|#l E€ L:Pe} } >?” cut {Q |æ [a] y| Pi}? & 
cut {!2(z); P |E [q] y| Q} 3° cut {0 |æ [g@clos!(z, P)]| y| Q} !] 
cut {0 |Z [clos!(y, P)] y| ?y; Q} 38 cut! {y.P |!2| Q} 7 


Fig. 8: Reduction P 38 Q. 


Definition 4.1 (Setting polarities). 


cut {Q |a: Alnil]b: B| P} £ if +A then cut {Q |a@: A[nil]b: B| P} 
else cut {Q |a: Afnil]b : B| P} 
cut {Q |a: Alg]b: B| P}P £ cut {Q |a: Alg]b: B| P} (q Æ nil) 


The following definition then formalizes the intuition given above about how 
to encode processes of CLL into processes of CLLB. 


Definition 4.2 (Embedding). Let P+ A; I. P! is the B process such that 
(cut {P |x: A| QJ} £ cut {P} |æ : A [nil] y : Al ({y/2}Q)} 


homomorphically defined in the remaining constructs. Clearly P? H A;r. 


4.1 Preservation and Progress for CLLB 


In this section, we prove basic safety properties of CLLB: Preservation (Theo- 
rem|4.1) and Progress (Theorem|4.2). To reason about type derivations involving 
buffered cuts, we formulate some auxiliary inversion principles that allow us, by 
aggregating sequences of application of [TCut-*] rules of CLLB, to talk in a uni- 
form way about typing of values in queues and typing of processes connected by 
queues. To assert typing of queue values c we use judgments the form 1; A F c:E, 
where F is a either a type or a one hole type context, defined by 


E:=Ol|T|TSE| &er Ex 


where in &eeL Ee only branch type Eg for some selected label #1 € L is a one 
hole context (to plug the continuation type); only the branch chosen by the 
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selected label in a queue is relevant to type next queue values. We identify the 
selected branch in the type by tagging it with the corresponding label #1 thus 
&eceL Eel#l]. We then introduce the following typing rules for queue values. 


Definition 4.3 (Typing of Queue Values). 


PHE Az: T; r 


Toky È T; A Fya clos(z, P): T 9 E 
Seer Eel#!] PH z:A;T 
T; Atya #1: &eer Ee T; Hva clos!(z, P) :?A 


Given a sequence of k one hole queue value types F; and a type A, we denote by 
Ez; A the type E1 [E2[...Ep|A]]]. Queue value types allow us to talk in a uniform 
way about the type a receiver processes compatible with the types of enqueued 
values, as characterized by the following Lemma [4.1]and Lemma [4.2] 


Lemma 4.1 (Non-full). For P #0 the rule below is admissible and invertible: 


PH Ap,£: A;r QH? AgyBl gq B=Ep; A T;4iHc:E;i -B 
cut {P eA [q] y:B| Q} HB Ap, AQ, 41,- Ak; T 


Notice that a session type, as defined by a CLL proposition, may terminate 
in either 1, L or an exponential type !A/?A. We then also have 


Lemma 4.2 (Full). The proof rules below are admissible: 


QF 4ọ9,y : B; r Tr; A4Fcai:E; B=Eg; L cp=V -B 
cut {0 |T: 0 [Ez] y : B| Q} HB Ag, Ain. Ak T 


QF 4AQ,y:B; I T; 4H c&:E; B=Epai;C T Fc = clos!(z, R):C —B 
cut {0 |T : 0 [er] y : B| Q} HB Ag, 41,- ., Ak, I 


Moreover, one of them must apply for inverting the judgment in the conclusion. 


Theorem 4.1 (Preservation). Let PH A;r. 
(1) If P = Q, then Q H A;r. (2) If P = Q, then Q H A:T. 


A process P is live if and only if P = C[Q], for some static context C (the hole 
lies within the scope of static constructs mix, cut) and Q is an action process. 
We first show that a live process either reduces or offers an interaction on a 
free name. The observability predicate defined in Fig. p] (cf. [63]) characterises 
interactions of a process with the environment. 


Lemma 4.3 (Liveness). Let PHB A; T be live. Either P |, or P 3°. 


Theorem 4.2 (Progress). Let P+ 0; Ø be a live process. Then, P 3°. 
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—— ~ [fwd] s(A)=2 P=Q Qa P Sa 
W A = 1X 
fwd x y le roe [A] PL [=] POL [mix] 
Ple FY cut] Gde WEY [cut!] 
(P |ylalz| Q) Le (2.P |!y| Q) Le 


Fig. 9: Observability Predicate P |x. 


4.2 Correspondence between CLL and CLLB 


In this section we establish the correspondence between reduction in CLL and 
CLLB, proving that the two languages simulate each other in a tight sense. 
Intuitively, the correspondence shows that CLLB allows some positive actions to 
be buffered ahead of reception, while in CLL a single positive action synchronises 
with the corresponding dual in one step, or a forward reduction takes place. 

We write a reduction P—BQ as P-+®? Q if the reduced action is positive, 
P-+®" Q if the reduced action is negative (we consider [call] negative), P+®* Q 
if the reduced action is a forwarder, and P-+® Q if the reduced action is 
positive or a forwarder. We also write P =P" Q for positive action followed by 
a matching negative action on the same cut with an initially empty queue. 


Lemma 4.4. The following commutations of reductions hold. 


Let P,®? S58" P,. Either P, >! Py, or P, 8" S'—8? P, for some S. 
Let P,>®¢ §S 8" Py. Then PiP” S$’ ®¢ P, for some S'. 

If P,P SB” Py, either Pi >" Po, or P, 8” S’—8aP P, for some S’. 
Let P, +52? N84 S -,8 P. Either PSB N or P > SB? P, for 
some S’. 


Lemma 4.5 (Simulation). Let P+ 0;0. If P+ Q then Pt >B Qt. 


reres 


Proof. Each cut reduction of CLL is either simulated by two reduction steps of 
B in sequence or by a [fwd] reduction. 


The following lemma identifies that in CLLB, a sequence of positive actions 
(or forwards) followed by a negative action can always be commuted either by 
pulling out the negative action first, followed by the sequence of positive actions 
and forwards; having the negative action follow a positive action on the same 
channel and then performing the remaining actions; or by first performing a 
sequence of forward actions, the output and input on the relevant session and 
then the remaining actions. 


Lemma 4.6 (Simulation). Let P H 0; 0. If P82? +8" Q then (1) P>®" R 
and R= ®P Q for some R, or; (2) P => R and R>B® Q for some R, or; (3) 
P38 —,8 R and R>®? Q for some R. 


Theorem 4.3 (Operational correspondence CLL-CLLB). Let P} 9;9. 
1. If P > R then P' > Ri. 
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2. If Pt(=Bap 8” )*Q then there is R such that P > R and Ri=® Q. 


Due to the progress property for CLLB (Theorem and because queues 
are bounded by the size of positive/negative sections in types, after a sequence of 
positive or forwarder reductions a negative reduction consuming a queue value 
must occur. Theorem [4.3{2) states that every reduction sequence in CLLB is 
simulated by a reduction sequence in CLL up to some anticipated forwarding 
and buffering of positive actions. Our results imply that every reduction path in 
CLLB maps to a reduction path in CLL in which every negative reduction step 
in the former is mapped, in order, to a cut reduction step in the latter. 


5 Correctness of the core SAM 


We now prove that every execution trace of the core SAM defined in Fig. 
represents a correct process reduction sequence CLLB (and therefore of CLL, in 
the light of Theorem {4.3}, first for the language without exponentials and mix, 
which will be treated in Section [6] In what follows, we annotate endpoints of 
session records with their types (e.g. as x:A(q, P)y:B), these annotations are 
not needed to guide the operation of the SAM, but convenient for the proofs; 
they will be omitted when not relevant or are obvious from the context. We first 
define a simple encoding of well-typed CLLB processes to SAM states. 


cut* 


Definition 5.1 (Encode). Given P +® 0 we define enc(P) =C as enc(P, 0) © 
C where enc(P, H) È C is defined by the rules 


enc(P(x), H[x:A(q, Q)y:B])  C (At) 
enc(cut {P |z:A[q] y:B]| Q}, H) È c 
enc(Q(y), H[x:A(q, P)y:B}) ie (A= oe P=0) 
enc(cut {P |T:A [q] y:B]| Q}, H) C 
enc(A, H) © (A, H) (AEA) 


Notice that enc(P) maximally applies the SAM execution rule for cut to (P, 9) 
until an action is reached. Clearly, for any P H @, if enc(P) =C then P &* C. 
Also, if all cuts in a state C have empty queues then there is a process Q of CLL 
such that enc(Q') = C. We then have 


Theorem 5.1 (Soundness wrt CLLB). Let P 0). 
If enc(P) = D ES C then there is Q such that P+ U =Q and € = enc(Q). 


We can then combine soundness with the operational correspondence between 
CLL and CLLB (Theorem [4.3) to obtain an overall soundness result for the SAM 
with respect to CLL: 


Theorem 5.2 (Soundness wrt CLL). Let PHB 0. 
1. If enc(P) SFY C there is Q such that P > U =Q andC = enc(Q). 
2. Let PEO. If enc(Pt) & enc(Qt) then P > Q. 
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In Definition [5.2| we identify readiness, the fundamental invariant property of 
SAM states, key to prove progress of its execution strategy. Readiness means that 
any running process holding an endpoint of negative type, and thus attempting to 
execute a negative action (e.g., a receive or offer action) on it, will always find an 
appropriate value (resp. a closure or a label) to be read in the appropriate session 
queue. No busy waiting or context switching will be necessary since the sequential 
execution semantics of the SAM enforces that all actions corresponding to a 
positive section of a session type have always been enqueued by the “caller” 
process before the ”callee” takes over. As discussed in Section Blit might not seem 
obvious whether all such input endpoints, (including endpoints moved around 
via send / receive interactions), always refer to non-empty queues. 

Readiness must also be maintained by processes suspended in session records, 
even if a suspended process waiting on a read endpoint will not necessarily have 
the corresponding queue already populated. Intuitively, a process P is (H, N)- 
ready if all its “reads” in the input channels (except those in N) will be matched 
by values already stored in the corresponding session queue. 


Definition 5.2 (Ready). Process P is H, N-ready if for all y € fn(P) \ N 
and x: A(q,R)y € H then A is negative or void. We abbreviate H,-ready by 
H-ready. Heap H is ready if, for all x(q, R)y € H, the following conditions hold: 


1. if R(y) then R is H, {y}-ready 

2. if R(x) then R is H-ready 

3. if clos(z: —, R) € q, R is H, {z}-ready. 
4. if clos(z : +, R) € q, R is H-ready. 


State C = (P, H) is ready if H is ready and P is H-ready. 
Lemma 5.1 (Readiness). Let PH Ø and (P,0) È S. Then S is ready. 
Theorem 5.3 (Progress). Let PHB @ and P live. Then enc(P) & S’. 


6 The SAM for full CLL 


In this section, we complete our initial presentation of the SAM, in particular, we 
introduce support for the exponentials, allowing the machine to compute with 
non-linear values, and a selective concurrency semantics. We have delayed the 
introduction of an environment structure for the SAM, to make the presentation 
easier to follow. However, this was done at the expense of a more abstract formal- 
isation of the operational semantics, making use of a-conversion, and overloading 
language syntax names as heap references for allocated session records. 

The SAM actually relies on environment-based implementation of name man- 
agement, presented in Fig. [6] A SAM state is then a triple (€, P, H) where 
E is an environment that maps each free name of the code P into either a 
closure or a heap record endpoint. These heap references are freshly allocated 
and unique, thus avoiding any clashes and enforcing proper static scoping. Clo- 
sures, representing suspended linear (clos(z,€,P)) and exponential behaviour 
(clos!(z,€, P)), pair the code in its environment, and we expect the following 
structural safety conditions for name biding in configurations to hold. 
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Ss n= (€, P, H) State 
H n= Ref > SessionRec Heap 
SessionRec ::= x(q, E, Pyy 


q z= nil | Val@q Queue 
Val nev Close token 

| #l Choice label 

|  clos(x, €, P) Linear Closure 

| clos!(x, €, P) Exponential Closure 
E,G,F = Name > (Ref U Val) Environment 


Fig. 10: The SAM 


Definition 6.1 (Closure). 

A process P is (€, N)-closed if fn(P)\ N C dom(E), and E-closed if (E,0)-closed. 
Environment E is H-closed if for all x E€ dom(E€) if E(x) is a reference then 
x € H, if E(x) =clos!(z,F, R) then F is H-closed and R is (F, {z})-closed. 
Heap H is closed if for all x(q,G,Q)y € H, G is H-closed, Q is G-closed, and 
for all clos(z, F, R) € q and clos!(z, F, R) € q, F is H closed and R is (F, {z})- 
closed. State (E, P, H) is closed if H is closed, E is H-closed, and P is E-closed. 


In Figure [6] we present the environment-based execution rules for the SAM. All 
rules except those for exponentials have already been essentially presented in 
Fig. |5} and discussed in previous sections. The only changes to those rules are 
due to the presence of environments, which at all times record the bindings for 
free names in the code. Overall, we have 


Lemma 6.1. Let P HB 0:0. For all S such that (P,0,0) È S, S is closed. 


We discuss the SAM rules for the exponentials. Values of exponential type are 
represented by exponential closures clos!(z, F, R). Recall that a session type may 
terminate in either type 1, type L or in an exponential type !A/?A (cf. (4.2). 
So, the (positive) execution rule [S!] is similar to rule [S1]: it enqueues the clo- 
sure representing the replicated process, and switches context, since the session 
terminates (cf. [!] Fig. [S}. The execution rule [S?] is similar to rule [S’9]: it pops 
a closure from the queue (which, in this case, always becomes empty), and in- 
stead of using it immediately, adds it to the environment to become persistently 
available to client code (cf. reduction rule [S?] Fig. B}. Any such closure rep- 
resenting a replicated process may be called by client code with transition rule 
[Scall], which essentially creates a new linear session composed by cut with the 
client code, similarly to [69]. Rule [SCall] operates with some similarity to rule 
[Ss]: instead of activating a linear closure popped from the queue, it activate an 
exponential closure fetched from the environment. 

We extend the enc map to the exponential cut and environment states 
(£, P, H) by adapting Definition [5.1] and adding the clause: 
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(E,cut {P |T: A [nil] y: B| Q}, H) = (G, P, H[a(q, F, Q)b]) 
a,b = new, G = E{a/z}, F = E{b/y} 

(E, close x, Halq, F, P)b]) & (F, P, H[a(q@v , Ø, 0)b]) 

a= E(x) 


(E, fwd x y, H[e(n,G, Q)a] blq, F, P)d)) Fe (F, P, H[c(q2@q1,G, Q)d]) 


a = E(x),b = E(y) 

(E, wait y; P, H[alv , Ø, 0b] 

b= E(y) 

a aa > (G,Q, H[a(q, E, A (x)}b]) 

(E,send x(z.R);Q, H[a(q, P)b]) = 
(E, Q, H{a(q@clos(z,€, R), P)b]) 


= (E, P, H) 


a = E(x) 


(E, recv y(w:+); Q, H 
(E' 


a(clos(z, F, R)Qq, G, PYb]) 
Q, H[e(nil, F’, R) f][a(q)*b 


e, f = new, b = E(y),E' = E{e/w}, F' = F{ f /z} 


=> 
) 


(E,recv y(w:—); Q, H[a(clos(z, F, R)@q, G, P)b]) & 

(F', R, H[e(nil, €’, Q) flla(q)*o]) 
e, f = new, b = E(y), F' = F{e/z},E' = Ef f /w} 
Gr = (E, Q, H[a(qQ#l, G, P)b]) 
a=€E(x 
(E, case y {|#L € L:Qe}, H[a(#lQq, G, P)b]) & (E, Qi, H[a(q)*b]) 
b= Ely) 
(E, !a(z); Q, H[a(q,G, P)b]) = (G, P, H[a(q@clos(z, E, Q), 0, 0)b)) 


?y; Q, H[a(clos(z, F, R), Ø, 0)b]) => (€’, Q, H) 
b = E (y), E = E{clos(z, F, R) /y} 


(E, call y(w:+); Q, H)  (£',Q, Hla(nil, F', R)b)) 
a,b = new, E' = E{a/w}, F' = F{b/z} 

clos(z, F, R) = E (y) 
(E, call y(w:—); Q, H) zd (F', R, H[a(nil, €’, Q)b]) 
a,b = new, E' = E{b/w}, F' = F{a/z} 

clos(z, F, R) = E (y) 


a(q)*b £ if (q = nil) then blq, G, P)a else alq, G, P)b 


Fig. 11: SAM Transition Rules for the complete CLL 


[Sfwd 


S8 


[99+ 


[Scall+ 


[Scall- 
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enc(E{clos!(y, €, R)/x}, P), H) È C 
enc(E, cut! {y.R |!2| P}, H) È C 
We now update our meta-theoretical results for the complete SAM. 


Theorem 6.1 (Soundness). Let P H 0; 0. 
If enc(P) =œ D $Ë C then there is Q such that P > U = Q and C = enc(Q). 


Theorem 6.2 (Progress). Let PHB @;0 and P live. Then enc(P) > C. 
6.1 Concurrent Semantics of Cut and Mix 


Intuitively, the execution of mix P || Q consists in the parallel execution of (non- 
interfering) processes P and Q. We may execute P || Q by sequentialising P and 
Q in some arbirary way, and this actually may be useful in some cases. 
However, much more interesting is the accommodation in the SAM of inter- 
fering concurrency, as required to support full-fledged concurrent languages for 
session-based programming. First, we evolve the SAM from single threaded to 
multithreaded, where states now expose a multiset of processes P; ready for exe- 
cution by the basic SAM sequential transitions: ({ P4, P2,...,P,},H) and intro- 
duce an annotated variant pcut of the cut. It has the same CLL/CLLB semantics, 
but to be implemented as a fork construct where P and Q spawn concurrently, 
their interaction mediated by an atomic concurrent session record < (q) y. The 
type system ensuring that concurrent channels may be forwarded only to con- 
current channels. We extend the SAM with transition rule for multisets: 


(P, H) | (P',H') 
(PĖT, H) | (P' WT, H’) 


(pcut {P |E:A [q] y:B| Q} Y T, H) > ({P,Q} Y T}, H[e (nil) y]) [SCutp] 
((P || Q) WT, H) = ({P,Q} YT}, Hle (nil) y]) [SMixp] 


[Srun] 


Each individual thread executes locally according to the SAM sequential transi- 
tions presented before, until an action on a concurrent queue is reached. Concur- 
rent process actions on concurrent queues are atomic, and defined as expected. 
Positive actions always progress by pushing a value into the queue, while neg- 
ative actions will either pop off a value from the queue or block, waiting for a 
value to become available. We illustrate with the rules for 1,L typed actions. 


(close x, H|x (q) y]) = (0, H[x (q@v) y}) [S1c] 
(wait y; P, H[x(v,y))) & (P, H) [SLc] 

Notice that, as in the case for wait y; P above, any negative action in the 
thread queue is unable to progress if the corresponding queue is empty. It should 
be clear how to define transition rules for all other pairs of dual actions. Given 
an appropriate encoding enc® of annotated CLLB processes in concurrent SAM 


states, and as consequence of typing and leveraging the proof scheme for progress 
in CLLB (Theorem |4.2), we have: 


Theorem 6.3 (Soundness-c). Let PHB 0; 0. 
If enc (P) D © C then there is Q such that P > U = Q and C = enc®(Q). 
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Theorem 6.4 (Progress-c). Let PHB 0;@ and P live. Then ence(P) => C. 


The extended SAM executes concurrent session programs, consisting in an 
arbitrary number of concurrent threads. Each thread deterministically executes 
sequential code, but can at any moment spawn new concurrent threads. The 
whole model is expressed in the common language of (classical) linear logic, 
statically ensuring safety, proper resource usage, termination, and deadlock ab- 
sence by static typing. 


7 Concluding Remarks and Related Work 


We introduce the Session Abstract Machine, or SAM, an abstract machine for 
executing session processes typed by (classical) linear logic CLL, deriving a deter- 
ministic, sequential evaluation strategy, where exactly one process is executing 
at any given point in time. In the SAM, session channels are implemented as 
single queues with a write and a read endpoint, which are written to, and read 
by executing processes. Positive actions are non-blocking, giving rise to a degree 
of asynchrony. However, processes in a session synchronise at polarity inversions, 
where they alternate execution, according to a fixed co-routining strategy. De- 
spite its specific strategy, the SAM semantics is sound wrt CLL and satisfies 
the correctness properties of logic-based session type systems. We also present a 
conservative concurrent extension of the SAM, allowing the degrees of concur- 
rency to be modularly expressed at a fine grain, ranging from fully sequential 
to fully concurrent execution. Indeed, a practical concern with the SAM design 
lies in providing a principled foundation for an execution environment for multi- 
paradigm languages, combining concurrent, imperative and functional program- 
ming. The overall SAM design as presented here may be uniformly extended 
to cover any other polarised language constructs that conservatively extend the 
PaT paradigm, such as polymorphism, affine types, recursive and co-recursive 
types, and shared state (56| [61]. We have implemented a SAM-based version 
of an open-source implementation of CLL (62). 

A machine model provides evidence of the algorithmic feasibility of a pro- 
gramming language abstract semantics, and illuminates its operational meaning 
from certain concrete semantic perspective. Since the seminal work of Landin 
on the SECD [43], several machines to support the execution of programs for a 
given programming language have been proposed. The SAM is then proposed 
herein in this same spirit of Cousineau, Curien and Mauny’s Categorical Ab- 
stract Machine for the call-by-value A-calculus (21], Lafont’s Linear Abstract 
Machine for the linear A-calculus (41], and Krivine’s Machine for the call-by- 
name A-calculus ; these works explored Curry-Howard correspondences to 
propose provably correct solutions. In (22], Danvy developed a deconstruction 
of the SECD based on a sequence of program transformations. The SAM is also 
derived from Curry-Howard correspondences for linear logic CLL (15} [72], and we 
also rely on program conversions, via the intermediate buffered language CLLB, 
as a key proof technique. We believe that the SAM is the first proposal of its 
kind to tackle the challenges of a process language, while building on several 
deep properties of its type structure towards a principled design. Among those, 


230 L. Caires, B. Toninho 


focusing and polarisation played an important role to achieve 
a deterministic sequential reduction strategy for session-based programming, 
perhaps our main initial motivation. That allows the SAM to naturally and effi- 
ciently integrate the execution of sequential and concurrent session behaviours, 
and suggests effective compilation schemes for mainstream virtual machines or 
compiler frameworks. 

The adoption of session and linear types is clearly increasing in research 
(e.g., 58} ) and general purpose languages (e.g., Haskell 
[88], Rust |42| Ocaml |35}|52|, F# 51, Move (l, among many others), which 
either require sophisticated encodings of linear typing via type-level computa- 
tion or forego of some static correctness properties for usability purposes. Such 
developments typically have as a main focus the realization of the session typ- 
ing discipline (or of a particular refinement of such typing), with the underlying 
concurrent execution model often offloaded to existing language infrastructure. 

We highlight the work [19], which studies the relationship between syn- 
chronous session types and game semantics, which are fundamentally asyn- 
chronous. Their work proposes an encoding of synchronous strategies into asyn- 
chronous strategies by so-called call-return protocols. While their focus differs 
significantly from ours, the encoding via asynchrony is reminiscent of our own. 

We further note the work which develops a polarized variant of the Auñ 
suitable for sequent calculi like that of linear logic. While we draw upon similar 
inspirations in the design of the SAM, there are several key distinctions: the 
work presents Ay-calculi featuring values and substitution of terms for vari- 
ables (potentially deep within the term structure). Our system, being based on 
processes calculus, features neither -— there is no term representing the outcome 
of a computation, since computation is the interactive behavior of processes (cf. 
game semantics); nor does computation rely on substitution in the same sense. 
Another significant distinction is that our work materializes a heap-based ab- 
stract machine rather than a stack-based machine. Finally, our type and term 
structure is not itself polarized. Instead, we draw inspiration from focusing in- 
sofar as we extract from focusing the insights that drive execution in the SAM. 

In future work, we plan to study the semantics of the SAM in terms of games 
(and categories), along the lines of [41]. We also plan to investigate the 
ways in which the evaluation strategy of the SAM can be leveraged to develop 
efficient compilation of fine-grained session-based programming, and its relation- 
ship with effect handlers, coroutines and delimited continuations. Linearity plays 
a key role in programming languages and environments for smart contracts in 
distributed ledgers manipulating linear resources (assets); it would be in- 
teresting to investigate how linear abstract machines like the SAM would provide 
a basis for certifying resource sensitive computing infrastructures p]. 

Data Availability. An implementation of the SAM as a typechecker and inter- 
preter is publicly available (17]. Additional definitions and proofs can be found 
in the companion extended technical report (16). 
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Abstract. This article presents TROCQ, a new proof transfer frame- 
work for dependent type theory. TROCQ is based on a novel formulation 
of type equivalence, used to generalize the univalent parametricity trans- 
lation. This framework takes care of avoiding dependency on the axiom 
of univalence when possible, and may be used with more relations than 
just equivalences. We have implemented a corresponding plugin for the 
Coq interactive theorem prover, in the Coq-Elpi meta-language. 


Keywords: Parametricity, Representation independence, Univalence, 
Proof assistants, Proof transfer 


1 Introduction 


Formalizing mathematics provides every object and statement of the mathemat- 
ical literature with an explicit data structure, in a certain choice of foundational 
formalism. As one would expect, several such explicit representations are most 
often needed for a same mathematical concept. Sometimes, these different choices 
are already made explicit on paper: multivariate polynomials can for instance be 
represented as lists of coefficient-monomial pairs, e.g., when computing Gröb- 
ner bases, but also as univariate polynomials with polynomial coefficients, e.g., 
for the purpose of projecting algebraic varieties. The conversion between these 
equivalent data structures however remains implicit on paper, as they code in 
fact for the same free commutative algebra. In some other cases, implementation 
details are just ignored on paper, e.g., when a proof involves both reasoning with 
Peano arithmetic and computing with large integers. 


Example 1 (Proof-oriented vs. computation-oriented data structures). The stan- 
dard library of the Coq interactive theorem prover has two data structures 
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for representing natural numbers. Type N is the base-1 number system and the 
associated elimination principle N_ind is the usual recurrence scheme: 


Inductive N : Type := Oy: N | Sy @: N) : N. 


N_ind: YP: N> O, PO > Wn:N, Pn >5P(Sn)) 39 Vun: N, Pon 


On the other hand, type N provides a binary representation positive of non- 
negative integers, as sequences of bits with a head 1, and is thus better suited 
for coding efficient arithmetic operations. The successor function Sy : N > N 
is no longer a constructor of the type, but can be implemented as a program, 
via an auxiliary successor function Spos for type positive. 


Inductive positive : Type := 
xI : positive — positive | x0 : positive — positive | xH : positive. 


Inductive N : Type := Oy : N | Npos : positive —> N. 


Fixpoint Spos (p : positive) : positive := match p with 
| xH => x0 xH | x0 p > xI p | xI p => x0 (Sys p) end. 


Definition Sy (n : N) := match n with 
| Npos p => Npos (Spos p) | _ = Npos xH end. 


This successor function is useful to implement conversions ty: N — N and 
4n: N —> N between the unary and binary representations. These conversion 
functions are in fact inverses of each other. The natural recurrence scheme on 
natural numbers thus transfers to type N: 


N-ind: Y P : N> O, PO > Wn: N, Pn->P (Sy n)) 3 Vn: N, Pn 


Incidentally, N_ind can be proved from N_ind by using only the fact that [yj 
is a left inverse of ty, and the following compatibility lemmas: 


tn On = Oy and Yn:N, wn (Sn n) = Sw (Ln n) 


Proof transfer issues are not tied to program verification. For instance, the 
formal study of summation and integration, in basic real analysis, provides a 
classic example of frustrating bureaucracy. 


Example 2 (Extended domains). Given a sequence (Un)nen of non-negative real 
numbers, i.e., a function u : N —> [0,+00], u is said to be swummable when the 
sequence (Xpo Uk)nen has a finite limit, denoted J- u. Now for two summable 
sequences u and v, it is easy to see that u+v, the sequence obtained by point-wise 
addition of u and v, is also a summable sequence, and that: 


Sout =Slut ov (1) 


As expression ` u only makes sense when u is a summable sequence, any alge- 
braic operation “under the sum”, e.g., rewriting )>(u+(v+w)) into S>((w+u)+v), 
a priori requires a proof of summability for every rewriting step. In a classical 
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setting, the standard approach rather assigns a default value to the case of an 
infinite sum, and introduces an extended domain [0, +00]. Algebraic operations 
on real numbers, like addition, are extended to the extra +00 case. Now for a 
sequence u : N —> [0, +00], the limit X- u is always defined, as increasing partial 
sums either converge to a finite limit, or diverge to +00. The road map is then to 
first prove that Equation [iJholds for any two sequences of extended non-negative 
numbers. The result is then transferred to the special case of summable sequences 
of non-negative numbers. Major libraries of formalized mathematics including 
Lean’s mathlib [I], Isabelle/HOL’s Archive of Formal Proofs, coq-interval [20] or 
Coq’s mathcomp-analysis [2], resort to such extended domains and transfer steps, 
notably for defining measure theory. Yet, as reported by expert users [I8], the as- 
sociated transfer bureaucracy is essentially done manually and thus significantly 
clutters formal developments in real and complex analysis, probabilities, etc. 


Users of interactive theorem provers should be allowed to elude mundane ar- 
guments pertaining to proof transfer, as they would on paper, and spare them- 
selves the related bureaucracy. Yet, they still need to convince the proof checker 
and thus have to provide explicit transfer proofs, albeit ideally automatically 
generated ones. The present work aims at providing a general method for imple- 
menting this nature of automation, for a diverse range of proof transfer problems. 

In this paper, we focus on interactive theorem provers based on dependent 
type theory, such as Coq, Agda or Lean [22]. These proof management sys- 
tems are genuine functional programming languages, with full-spectrum depen- 
dent types, a context in which representation independence meta-theorems can 
be turned into concrete instruments for achieving program and proof transfer. 

Seminal results on the contextual equivalence of distinct implementations of 
a same abstract interface were obtained for System F, using logical relations [21] 
and parametricity meta-theorems [26]35]. In the context of type theory, such 
meta-theorems can be turned into syntactic translations of the type theory of 
interest into itself, automating this way the generation of the statement and proof 
of parametricity properties for type families and for programs. Such syntactic 
relational models can accommodate dependent types [10], inductive types [9] and 
scale to the Calculus of Inductive Constructions, with an impredicative sort [I9]. 

In particular, the univalent parametricity translation [30] leverages the uni- 
valence axiom [33] so as to transfer statements using established equivalences of 
types. This approach crucially removes the need for devising an explicit common 
interface for the types in relation. In presence of an internalized univalence axiom 
and of higher-inductive types, the structure identity principle provides internal 
representations of independence results, for more general relations between types 
than equivalences [5]. This last approach is thus particularly relevant in cubi- 
cal type theory [12]34]. Indeed, a computational interpretation of the univalence 
axiom brings computational adequacy to otherwise possibly stuck terms, those 
resulting from a transfer involving an axiomatized univalence principle. 

Yet taming the bureaucracy of proof transfer remains hard in practice for 
users of Coq, Lean or Agda. Examples |1| and [2] actually illustrate fundamental 
limitations of the existing approaches: 
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Univalence is overkill Both univalent parametricity and the structure identity 
principle can be used to derive the statement and the proof of the induction 
principle N_ind of Example}1| from the elimination scheme of type N. But up 
to our knowledge, all the existing methods for automating this implication pull 
in the univalence principle in the proof, although it can be obtained by hand by 
very elementary means. This limitation is especially unsatisfactory for developers 
of libraries formalizing classical mathematics, and notably Lean’s mathlib. These 
libraries indeed typically assume a strong form of proof irrelevance, which is 
incompatible with univalence, and thus with univalent parametricity. 


Equivalences are not enough, neither are quotients Univalent parametricity can- 
not help with Example[2| as type [0, +00] is not equivalent to its extended version 
(0, +00]. In fact, we are not aware of any tool able to automate this proof transfer. 
In particular, the structure identity principle [5] would not apply as such. 


Contributions In short, existing techniques for transferring results from one type 
to another, e.g., from N to N or from extended real numbers to real numbers, 
are either not suitable for dependent types, or too coarse to track the exact 
amount of data needed in a given proof, and not more. This paper presents 
three contributions improving this unfortunate state of affairs: 


— A parametricity framework à la carte, that generalizes the univalent para- 
metricity translation [80], as well as refinements à la CoqEAL and gen- 
eralized rewriting [28]. Its pivotal ingredient is a variant of Altenkirch and 
Kaposi’s symmetrical presentation of type equivalence [8]. 

— A conservative subtyping extension of CC, [I5], used to formulate an infer- 
ence algorithm for the synthesis of parametricity proofs. 

— The implementation of a new parametricity plugin for the Coq interactive 
theorem prover, using the Coq-Elpi meta-language. This plugin rests 
on original formal proofs, conducted on top of the HoTT library [8], and is 
distributed with a collection of application examples. 


Outline The rest of this paper is organized as follows. Section |2| introduces 
proof transfer and recalls the principle, strengths and weaknesses of the uni- 
valent parametricity translation. In Section |3| we present a new definition of 
type equivalence, motivating a hierarchy of structures for relations preserved by 
parametricity. Section [4] then presents variants of parametricity translations. In 
Section] we discuss a few examples of applications and we conclude in Section [6] 


2 Strengths and limits of univalent parametricity 


We first clarify the essence of proof transfer in dependent type theory (§ and 
briefly recall a few concepts related to type equivalence and univalence (§ [2.2). 
We then review and discuss the limits of univalent parametricity (§ (2.3). 
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2.1 Proof transfer in type theory 


We recall the syntax of the Calculus of Constructions, CC, a A-calculus with 
dependent function types and a predicative hierarchy of universes, denoted OU: 


A, B,M,N := 0; |x| MN |àx:A.M |x: A.B 


We omit the typing rules of the calculus, and refer the reader to standard refer- 
ences (e.g., [25]23]). We also use the standard equality type, called propositional 
equality, as well as dependent pairs, denoted Xx : A. B. We write t = u the def- 
initional equality between two terms t and u. Interactive theorem provers like 
Coq, Agda and Lean are based on various extensions of this core, notably with 
inductive types or with an impredicative sort. When the universe level does not 
matter, we casually remove the annotation and use notation 

In this context, proof transfer from type T; to type Tə ioughly amounts to 


synthesizing a new type former W : To > O, i.e., a type parametric in some 
type T, from an initial type former V : T) > O, i.e., a type parametric in some 
me Tı, so as to ensure that for some given relations Rr: T, > To — U and 
Ro: > > O, there is a proof w that: 


Trw :V(ty : Ti) (te : Tz), Rr ti t2 > R (V t1)(W t2) 


for a suitable context I’. This setting generalizes as expected to k-ary type 
formers, and to more pairs of related types. In practice, relation Rp is often 
a right-to-left arrow, i.e, Rg A B = B > A, as in this case the proof w 
substantiates a proof step turning a goal clause + V tı into ITA W tə. 

Phrased as such, this synthesis problem is arguably quite loosely speci- 
fied. Consider for instance the transfer problem discussed in Example A 
first possible formalization involves the design of an appropriate common in- 
terface structure for types N and N, for instance by setting both Tı and T> as 
XN :O.Nx(N > N), and both V and W as: AX : T1. IP : X1 > O.P X.2 > 
(In : X.1.P n > P (X.3 n)) > Hn : X.1.P n, where X.i denotes the i-th 
item in the dependent tuple X. In this case, relation Rr may characterize iso- 
morphic instances of the structure. Such instances of proof transfer are elegantly 
addressed in cubical type theories via internal representation independence re- 
sults [5]. In the context of CC,,, the hassle of devising explicit structures by hand 
has been termed the anticipation problem [30]. 

Another option is to consider two different types Tı 4 N x (N > N) and 
Tə £ N x (N > N) and 


I> 


V2AX:T,.VP:N3O0.P X1 > (Vn: N,P n> P(X.2 n)) 3 Vn: N,Pn 
W 2dX:Th. VP:N3O.P X13 (Vn: N,P n> P(X.2n)) 3 Vn:N,Pn 


where one would typically expect Rr to be a type equivalence between Tı and 
T2, so as to transport (V’ tı) to (W’ t2), along this equivalence. 

Note that some solutions of given instances of proof transfer problems are in 
fact too trivial to be of interest. Consider for example the case of a functional 
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relation between Ty and T}, with Rr tı t2 defined as tı = @ t2, for some @ : 
Tə —> T. In this case, the composition V o ¢ is an obvious candidate for W, but 
is often uninformative. Indeed, this composition can only propagate structural 
arguments, blind to the additional mathematical proofs of program equivalences 
potentially available in the context. For instance, here is a useless variant of W’: 


W"2)X:%. YP:N>0.P (n X1) > 
(Vn: N,P n> P (tn (X.2 ({n 7)))) > Vn: N,P nn. 


Automation devices dedicated to proof transfer thus typically consist of a 
meta-program which attempts to compute type former W and proof w by in- 
duction on the structure of V, by composing registered canonical pairs of related 
terms, and the corresponding proofs. These tools differ by the nature of relations 
they can accommodate, and by the class of type formers they are able to synthe- 
size. For instance, generalized rewriting , which provides essential support to 
formalizations based on setoids [7], addresses the case of homogeneous (and re- 
flexive) relations, i.e., when T} and T coincide. The CoqEAL library [14] provides 
another example of such transfer automation tool, geared towards refinements, 
typically from a proof-oriented data-structure to a computation-oriented one. It 
is thus specialized to heterogeneous, functional relations but restricted to closed, 
quantifier-free type formers. We now discuss the few transfer methods which can 
accommodate dependent types and heterogeneous relations. 


2.2 Type equivalences, univalence 


Let us first focus on the special case of types related by an equivalence, and start 
with a few standard definitions, notations and lemmas. Omitted details can be 
found in the usual references, like the Homotopy Type Theory book [33]. Two 
functions f,g : A > B are point-wise equal, denoted f = g when their values 
coincide on all arguments, that is f = g = Ha : A.f a = g a. For any type 
A, id, denotes àa : A.a, the identity function on A, and we write id when the 
implicit type A is not ambiguous. 


Definition 1 (Type isomorphism, type equivalence). A function f : A> 
B is an isomorphism, denoted Islso( f), if there exists a function g : B — A which 
satisfies the section and retraction properties, i.e., g is respectively a point-wise 
left and right inverse of f. A function f is an equivalence, denoted IsEquiv(f), 
when it moreover enjoys a coherence property, relating the proofs of the section 
and retraction properties and ensuring that IsEquiv(f) is proof-irrelevant. 

Types A and B are equivalent, denoted A ~ B, when there is an equivalence 
f:AvOB: 

Ax~B ê Sf:A-B. lsEquiv(f) 


Lemma 1. Any isomorphism f : A — B is also an equivalence. 


The data of an equivalence e : A ~ B thus include two transport functions, 
denoted respectively fe : A > B and |, : B — A. They can be used for proof 
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transfer from A to B, using Te at covariant occurrences, and |, at contravariant 
ones. The univalence principle asserts that equivalent types are interchangeable, 
in the sense that all universes are univalent. 


Definition 2 (Univalent universe). A universe U is univalent if for any two 
types A and B in U, the canonical map A= B > A ~ B is an equivalence. 


In variants of CC,,, the univalence axiom has no explicit computational content: 
it just postulates that all universes Ll; are univalent, as for instance in the HoT T 
library for the Coq interactive theorem prover [8]. Some more recent variants of 
dependent type theory [L2H] feature a built-in computational univalence princi- 
ple. They are used to implement experimental interactive theorem provers, such 
as Cubical Agda [34]. In both cases, the univalence principle provides a powerful 
proof transfer principle from O to O, as for any two types A and B such that 
A ~ B, and any P : O —> O, we can obtain that P A ~ P B asa direct corollary 
of univalence. Concretely, P B is obtained from P A by appropriately allocat- 
ing the transfer functions provided by the equivalence data, a transfer process 
typically useful in the context of proof engineering [27]. 

Going back to our example from § 2.1] transferring along an equivalence 
N œ N thus produces W” from V’. Assuming univalence, one may achieve the 
more informative transport from V’ to W’, using a method called univalent 
parametricity [30], which we discuss in the next section. 


2.3 Parametricity translations 


Univalent parametricity strengthens the transfer principle provided by the uni- 
valence axiom by combining it with parametricity. In CC, the essence of para- 
metricity, which is to devise a relational interpretation of types, can be turned 
into an actual syntactic translation, as relations can themselves be modeled as 
A-terms in CC,,. The seminal work of Bernardy, Lasson et al. [LO[19]9] combine 
in what we refer to as the raw parametricity translation, which essentially defines 
inductively a logical relation | T ] for any type T, as described on Figure[1] This 
presentation uses the standard convention that t’ is the term obtained from a 
term t by replacing every variable x in t with a fresh variable x’. A variable x 
is translated into a variable xp, where xp is a fresh name. Parametricity follows 
from the associated fundamental theorem, also called abstraction theorem [26]: 


Theorem 1. Jf Ct: T then the following hold: [[]t:T, [CJ] ¢: 7’ 
and [Jt [t]: [7] tt. 


Proof. By structural induction on the typing judgment, see for instance |19]. 
A key, albeit mundane ingredient of Theorem |1|is the fact that the rules of 
Figure [I]ensure that: 

FO.) : (O41) 0; O; (9) 


This translation precisely generates the statements expected from a paramet- 
ric type family or program. For instance, the translation of a I/-type, given by 
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— Context translation: 


[O]= 0 (2) 
[T,x: A] =[T],z: A,x: Aer: [A] zr (3) 
— Term translation: 
[0:] =AA A’. A> A’ >O (4) 
t]=2rR (5) 
[A BJ =[A] BB’ [B] (6) 
[Av : A.t] = Ma: A)(x' : A) (zR: [A] x z^). [t] (7) 
(Hz: A.B] =Af f -I(x : A(x : A) ler: [A] £ [Bf (f 2’) (8) 


Fig. 1: Raw parametricity translation for C'Cw. 


Equation |8| is a type of relations on functions that relate those producing re- 
lated outputs from related inputs. Concrete implementations of this translation 
are available [I9J31]; they generate and prove parametricity properties for type 
families or for constants, improved induction schemes, etc. 

Univalent parametricity follows from the observation that the abstraction 
theorem still holds when restricting to relations that are in fact (heterogeneous) 
equivalences. This however requires some care in the translation of universes: 


[O] 4AB ê S(R:ASB>O,)(e:A~B). 
l(a: A)\(b:B).Rab~(a=}ļeb) (10) 


where [-] now refers to the univalent parametricity translation, replacing the 
notation introduced for the raw variant. For any two types A and B, [O;:] A B 
packages a relation R and an equivalence e such that R is equivalent to the 
functional relation associated with ļe. Crucially, assuming univalence, i] is 
equivalent to type equivalence, that is, for any two types A and B: 


[O;]4 Be (AB). 


This observation is actually an instance of a more general technique available 
for constructing syntactic models of type theory [II], based on attaching extra 
intensional specifications to negative type constructors. In these models, a stan- 
dard way to recover the abstraction theorem consists of refining the translation 
into two variants, for any term T : U;, that is also a type. The translation of 
such a T as a term, denoted [T], is a dependent pair, which equips a relation 
with the additional data prescribed by the interpretation |O; ] of the universe. 
The translation |T ] of T as a type is the relation itself, that is, the projection 
of the dependent pair [T] onto its first component, denoted rel([T ]). We refer 
to the original article [30] Figure 4| for a complete description of the translation. 

We now state the abstraction theorem of the univalent parametricity trans- 
lation [80], where F,, denotes a typing judgment of CC,, assuming univalence: 
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Theorem 2. Jf [+ ¢t:T then |r] [t] : [T] tv. 


Note that proving the abstraction theorem 2]involves in particular proving that: 


Fy (Oi) : [Gigi] O: O; and rel((O;]) = [Oi]. (11) 


The definition of relation |O; ] relies on the univalence principle in a crucial way, 
in order to prove that the relation in the universe is equivalent to equality on 
the universe, i.e., to prove that: 


Importantly, this univalent parametricity translation can be seamlessly extended 
so as to also make use of a global context of user-defined equivalences. 

Yet because of the interpretation of universes given by Equation [10] univalent 
parametricity can only automate proof transfer based on type equivalences. This 
is too strong a requirement in many cases, e.g., to deduce properties of natural 
numbers from that of integers, or more generally for refinement relations. Even in 
the case of equivalent types, this restriction may be problematic, as Equation 
may incur unnecessary dependencies on the univalence axiom, as in Example 


3 Type equivalence in kit 


In this section, we propose (§ an equivalent, modular presentation of type 
equivalence, phrased as a nested sigma type. Then (§ 3.2}, we carve a hierarchy 
of structures on relations out of this dependent tuple, selectively picking pieces. 
Last, we revisit (§|3.3) parametricity translations through the lens of this finer 
grained analysis of the relational interpretations of types. 


3.1 Disassembling type equivalence 


Let us first observe that the Definition [I] of type equivalence, is quite asymmet- 
rical, although this fact is somehow swept under the rug by the infix A ~ B 
notation. First, the data of an equivalence e : A ~ B privileges the left-to-right 
direction, as Îe is directly accessible from e as its first projection, while accessing 
the right-to-left transport requires an additional projection. Second, the state- 
ment of the coherence property, which we eluded in Definition |1| is actually: 


Ila: A.apy.(s a) =r o le 


where ap ,(t) is the term f u = f v, for any identity proof t : u = v. This state- 
ment uses proofs s and r, respectively of the section and retraction properties 
of e, but not in a symmetrical way, although swapping them leads to an equiv- 
alent definition. This entanglement prevents tracing the respective roles of each 
direction of transport, left-to-right or right-to-left, during the course of a given 
univalent parametricity translation. Exercise 4.2 in the HoTT book however 
suggests a symmetrical definition of type equivalence, via functional relations. 
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Definition 3. A relation R: A > B —> Uj, is functional when: 


Ila: A. IsContr(7b: B. R a b) 


where for any type T, IsContr(T) is the standard contractibility predicate Xt : 
T. It :T.t =t. This property is denoted IsFun(R). 


We can now obtain an equivalent but symmetrical characterization of type 
equivalence, as a functional relation whose symmetrization is also functional. 


Lemma 2. For any types A, B : O, type A ~ B is equivalent to: 


XR: A > B > O. IsFun(R) x IsFun( R+) 


where R7! : B > A — O just swaps the arguments of relation R : A => B —> 


We sketch below a proof of this result, left as an exercise in |83|. The essential 
argument is the following characterization of functional relations: 


Lemma 3. The type of functions is equivalent to the type of functional relations; 
e., for any types A,B : O, we have (A > B) ~ XR: A> B > OD. IsFun( R). 


Proof. The proof goes by chaining the following equivalences: 


(XR: A> B > O.lsFun(R)) ~ (A> YP: B > [O.IsContr(Xb : B.P b)) 
~ (A> B) 


Proof (of Lemma |2). The proof goes by chaining the following Piyala, 
where the type of f is always A > B and the type of Ris A> B > O: 


(A~ B) ~ Xf:A- B.\sEquiv(f) by definition of (A ~ B) 
~ Lf. Mb: B.IsContr(Xa.f a = b) standard result in HoTT 
~ Lf. lsFun(A(b: B)(a: A). f a = b) by definition of IsFun(-) 
~ X (¢: XR. IsFun(R)).lIsFun(mı(p)7t) by Lemma [B] 
~ XR.lIsFun(R) x IsFun(R~') by associativity of X. 


However, the definition of type equivalence provided by Lemma [| does not 
expose explicitly the two transfer functions in its data, although this compu- 
tational content can be extracted via first projections of contractibility proofs. 
In fact, it is possible to devise a definition of type equivalence which directly 
provides the two transport functions in its data, while remaining symmetrical. 
This variant follows from an alternative characterization of functional relations. 


Definition 4. For any types A,B : O, a relation R: A> B> O, is a 
univalent map, denoted IsUmap(R) when there exists a function m : A > B 
together with: 


gi: (a: A)(b: B).ma=b> Rab 
and gə: (a: A)(b: B).R a b—> m a=b 
such that I (a : A)(b : B). (gı a b) o (go a b) = id. 
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Now comes the crux lemma of this section. 


Lemma 4. For any types A,B : O and any relation R: A> B > 


IsFun(R) ~ IsUmap(R). 


Proof. The proof goes by rewording the left hand side, in the following way: 


ITx.\sContr(R x) 
x Hx. U(r: Xy. R x y). H(p: Xy.R z y).r =p 
~ Te. Xy. Sr: R x y). H(p: Xy.R z y). (y,r)=p 
~ f.x. Sr: Rx (f x)). H(p: Xy. R x y). (f £,r)=p 
x Xf.X(r:Hx.R x (f x)). Hx. H(p: Xy. R x y). (f r,r x) =p 
~ Xf. Lr. Hx. Hy. H(p: R x y). (f 2,r x)= (y, p) 
~ Xf. Lr. Hx. Hy. H(p: Rx y). Xe: ft =y)r r =ep 
x Xf. Xr. X(e: Hx. Ty. Rey f x= y). Hx. My. Ip. (r £) =eryp P 


After a suitable reorganization of the sigma types we are left to show that 


X(r : Hx. Iy. f £ =y—> R z y). (exy)o(rzry)= id 
~ Sr: H.R x (f x)). Hx. Hy. Ip.r £ =eryp P 


which proof we do not detail, referring the reader to the supplementary material 


As a direct corollary, we obtain a novel characterization of type equivalence: 


Theorem 3. For any types A, B : O;, we have: 


(A> B)~xm@m' AB 


where the relation @' A B is defined as: 


XR: A> B > O;. IlsUmap(R) x IsUmap(R~*) 


The collection of data packed in a term of type @' A B is now symmetrical, 
as the right-to-left direction of the equivalence based on univalent maps can 
be obtained from the left-to-right by flipping the relation and swapping the 
two functionality proofs. If the 7-rule for records is verified, symmetry is even 
definitionally involutive. 


3.2 Reassembling type equivalence 


Definition [4] of univalent maps and the resulting rephrasing of type equivalence 
suggest introducing a hierarchy of structures for heterogeneous relations, which 
explains how close a given relation is to type equivalence. In turn, this distance 
is described in terms of structure available respectively on the left-to-right and 
right-to-left transport functions. 
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Definition 5. For n,k € {0,1,2¢,25,3,4}$, and a = (n, k), relation 
> O, is defined as: 


E 
4 


q“  A(A B : O).X(R : A> B > O).Classa R 


where the map class Classa R itself unfolds to a pair type (M, R) x (Mp Ro), 
with M; defined asf] 
M RÊ. 
M2, R= Xm: A> B.Gə m R with Gə, m R ê Hab.ma=b—> Rab 
M2, R Xm: A> B.Gə m R withGə, m R £ Hab.Rab—>ma=b 
M; R£ Xm: A > B. (G2, m R) x (G2, m R) 
M, R£ Xm: A > B. X(gı : Go, m R). X(g2 : Go, m R). Hab. 

(gı a b) o (g2 a b) = id 


For any types A and B, and any r : @®“ A B we use notations rel(r), map(r) 
and comap(r) to refer respectively to the relation, map of type A + B, map of 
type B — A, included in the data of r, for a suitable a. 


Definition 6. We denote A the set {0,1, 2a, 2p, 3, 4}?, used to index map classes 
in Definition [5] This set is partially ordered for the product order defined from 
the partial order O < 1 < 2, < 3 < 4 for 2, either 2a or 25, and with 2a and 2, 
being incomparable. 


Remark 1. Relation @4 of Definition [5] coincides with the relation Œ! intro- 


duced in Theorem [s] Similarly, we denote @ the relation ©). 


Remark 2. Definition [jis associated with the following dictionary. For r of type: 


— m(t A B, map(r) is an arbitrary function f : A > B; 

(40) A B, rel(r) is a univalent map, in the sense of Definition [4] 

— ga) A B, rel(r) is the graph of a retraction (i.e., a surjective univalent 
map with an explicit partial left inverse) of type A > B; 

q(42æ) A B, rel(r) is the graph of a section (i.e., an injective univalent map 
with explicit partial right inverse) of type A > B; 

(4,4) r is an equivalence between A and B; 

— @3), ris an isomorphism between A and B. 


o 


— |g 


Observe that a"") A B coincides, up to equivalence, with @°”) B A. Other 
classes, while not corresponding to a meaningful mathematical definition, may 
arise in concrete runs of proof transfer: see also Section [4] for explicit examples. 


a 


The corresponding lattice to the collection of M, is implemented as a hier- 
archy of dependent tuples, more precisely, of record types. 


5 For the sake of readability, we omit implicit arguments, e.g., although M; has type 
AT Tz : O). (T > T2 > O) 0O, we write Mn, R for (M, A B R). 
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3.3 Populating the hierarchy of relations 


We shall now revisit the parametricity translations of Section In particular, 
combining Theorem [3] with Equation crux of the abstraction theorem for 
univalent parametricity, ensures the existence of a term pp, such that: 


Fu po; : Gay, 0; O; and rel(po,) = m}. 


i u 


T 


Otherwise said, relation > O > O can be endowed with a Œ! structure, 
assuming univalence. dinila, Equation pl for the raw parametricity transla- 


tion, can be read as the fact that relation E + on universes can be endowed with 


a E 1 structure. 

Now the hierarchy of structures introduced by Definition P] enables a finer 
grained analysis of the possible relational interpretations of universes. Not only 
would this put the raw and univalent parametricity translations under the same 
hood, but it would also allow for generalizing parametricity to a larger class of 
relations. For this purpose, we generalize the previous observation, on the key 
ingredient for translating universes: for each a € A, relation B® : > 0 > 
may be endowed with several structures from the lattice, jnd we need to 
study which ones, depending on a. Otherwise said, we need to identify the pairs 
(a, B) € A? for which it is possible to construct a term p*” such that: 


[z] 


[z] 


Fa p’ : mf and rel(p%f) = m° (12) 


Note that we aim here at a definitional equality between rel(p®? ) and E7, rather 


than at an equivalence. It is easy to see that a term pet exists for any a € A, as 


a+ requires no structure on the relation. On the other hand, it is not possible to 


construct a term port, i.e., to turn an arbitrary relation into a type equivalence. 


Definition 7. We denote Do the following subset of A?: 


Do = {(a, 8) € A? |a=T VBE {0,1,2a}7} 


The supplementary material|constructs terms p%® for every pair (a, 8) € Do, 


using a meta-program to generate them from a minimal collection of manual 
definitions. In particular, assuming univalence, it is possible to construct a term 
pł’, which can be seen as an analogue of the translation |O] of univalent 


parametricity. More generally, the provided terms pee depend on univalence if 
and only if 8 ¢ {0,1,2,}?. 

The next natural question concerns the possible structures Œ” endowing the 
relational interpretation of a product type Me : A. B, given relational interpre- 
tation for types A and B respectively equipped with structures Œ“ and m°. 

Otherwise said, we need to identify the triples (a, 8, y) € A? for which it is 
possible to construct a term p% such that the following statements both hold: 


[z] 


r- Ar: GAA’ T, x: A, £: A, sp: Arz H Br: Bf BB 
C+ py Ar Br : Uiz. A.B) UI IIa! : A’. B') 


i=) 


252 Cyril Cohen, Enzo Crance, and Assia Mahboubi 
rel(p}, Ar Br) =Af.Af' I(x : A)(x' : A’) (zpr : rel(AR) x 2’). rel(Br) (fx) (fx) 


The corresponding collection of triples can actually be described as a function 
Dy : A— A?, such that Dz (y) = (a, 8) provides the minimal requirements on 
the structures associated with A and B, with respect to the partial order on A?. 


The (supplementary material provides a corresponding collection of terms pù% for 


each y € A, as well as all the associated weakenings. Once again, these definitions 


are generated by a meta-program. Observe in particular that by symmetry, porn) 


can be obtained from pom?) and pm) by swapping the latter and glueing it to 
the former. Therefore, the values of p4} and D7(y) are completely determined 


mO and Dr(m, 0). In particular, for any (m,n) € A: 


by those of p 
Di(m, n) = ((ma, na), (mp, nB)) 


where m4,n4,Mp,ng E A are such that Dg(m,0) = ((0,n4),(mp,0)) and 
Dr(n,0) = ((0, ma), (ng, 0)). We sum up in Figure [2] the values of Dy (m, 0). 


m|Dr(m, 0) |Dr (m, 0)2 m|D_.(m, 0) |D (m, 0)2 

0| (0,0) (0,0) 0) (0,0) (0,0) 

1 (0, 2a) (1,0) 1 (0, 1) (1, 0) 
2a (0, 4) (2a, 0) Qa (0, 2b) (2a, 0) 
2p) (0, 2a) (21, 0) 2| (0, 2a) (2p, 0) 

3 (0, 4) (3, 0) 3 (0, 3) (3, 0) 

4 (0, 4) (4, 0) 4 (0, 4) (4, 0) 


Fig. 2: Minimal dependencies for product and arrow types 


Note that in the case of a non-dependent product, constructing p7, requires 
less structure on the domain A of an arrow type A > B, which motivates the 
introduction of function D (y). Using the combinator for dependent products to 
interpret an arrow type, albeit correct, potentially pulls in unnecessary structure 
(and axiom) requirements. The supplementary material] includes a construction 
of terms p7, for any y € A. 

The two tables in Figure[2] show how requirements on levels stay the same on 
the right hand side of both J and >, stay the same up to symmetries (exchange 
of variance and of 2, and 2p) on the left hand side of a > and increase on the 
left hand side of a IT. This elegant arithmetic justifies our hierarchy of relations. 


4 A calculus for proof transfer 


This section introduces TROCQ, a framework for proof transfer designed as a 
generalization of parametricity translations, so as to allow for interpreting types 
as instances of the structures introduced in Section We adopt a sequent 
style presentation, which fits closely the type system of CC,,, while explaining 
in a consistent way the transformations of terms and contexts. This choice of 
presentation departs from the standard literature about parametricity in pure 
type systems. Yet, it brings the presentation closer to actual implementations, 
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whose necessary management of parametricity contexts is swept under the rug 
by notational conventions (e.g., the primes of Section 2.3). 

For this purpose, we successively introduce four calculi, of increasing sophis- 
tication. We start (§ with introducing this sequent style presentation by 
rephrasing the raw parametricity translation, and the univalent parametricity 
one (§ [4.2}. We then introduce COF (§ [4.3), a Calculus of Constructions with 
annotations on sorts and subtyping, before defining (§ the TROCQ calculus. 


4.1 Raw parametricity sequents 


We introduce parametricity contexts, under the form of a list of triples packaging 
two variables x and x’ together with a third one rp. The latter £p is a witness 
(a proof) that x and 2’ are related: 


Base | E, £ we “Pap 


We write (x, x',£r) € £ when 5 = 5', x ~ 2’ y ap, =” for some 5 and =”. 
We denote Var(=) the sequence of variables related in a parametricity context 
=, with multiplicities: 


Var(e) =€  Var(Z, eee’ + we) = Var(£), £, £, £R 
A parametricity context £ is well-formed, written = F, if the sequence Var(=) 
is duplicate-free. In this case, we use the notation £ (x) = (x', £p) as a synonym 
of (a, x£’, £R) € Z. 
A parametricity judgment relates a parametricity context = and three terms 
M, M’, Mr of CC,,. Parametricity judgments, denoted as: 


ELM ~ M’-: Mp, 


are defined by rules of Figure[3]and read in context =, term M translates to the 
term M’, because Mr. 


Lemma 5. The relation associating a term M with pairs (M', Mr) such that 
EHM ~ M' `: Mp holds, with Z a well-formed parametricity context, is 
functional. More precisely, for any well-formed parametricity context Z: 


YM, M',N', Mr, Nr, EFM ~ M'e Me A ZEMAN’ =: Ng 
=> (M',Mpr)=(N', Np) 


Proof. Immediate by induction on the syntax of M. 
This presentation of parametricity thus provides an alternative definition 


of translation [-] from Figure |1| and accounts for the prime-based notational 
convention used in the latter. 
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(PARAMSORT) 


FEO, ~O; ~ AB: D).A> Boo, 


/ = = 
Ene es Br 
een) - (PARAMVAR) 


EEM~ M © MrR ZENA N © Nr 


— — 7 PARAMAPP) 
BFrFMN~ MN ' Mer NWN Ne 


AAA aa) vos eREM ~ M'e Mr 


— pop ; (PARAMLAM) 
EFAs: A.M ~ Xo’: A.M `r Arr aR. MR 


x,x' ¢ Var(=) 
ELAnw A’: Ap Zx ~g - rE Bw B ~ Br 


PARAMPI 
Ete: A.Bw Ia’: A.B’ > \fg. Ura vr. Br (f x) (g 2’) ( ) 


Fig. 3: PARAM: sequent-style binary parametricity translation 


Definition 8. A parametricity context = is admissible for a well-formed typing 
context I, denoted > 5, when © and I are well-formed as a parametricity 
context and I’ provides coherent type annotations for all terms in =, that is, for 
any variables x,x',zr such that E(x) = (x',xpr), and for any terms A’ and Ar: 


ELI (2) ~ A’ a Ar => T(x) =A A T(R) = Apnea’ 
We can now state and prove an abstraction theorem: 
Theorem 4 (Abstraction theorem). 


ose ThK+M:A ELMw~WM’'-: Mp ELFAw A’ | Ar 
TK M':A’ and Tt Mp: Ar M M' 


Proof. By induction on the derivation of = M ~ M’ - Mr. 


4.2 Univalent parametricity sequents 


We now propose in Figure Hla rephrased version of the univalent parametricity 
translation [30], using the same sequent style and replacing the translation of 
universes with the equivalent relation @ '. Parametricity judgments are denoted: 


EL, M ~ M'-: Mp 


where © is a parametricity context and M, M’, and Mp are terms of CC,,. 
The u index is a reminder that typing judgments I’ F,, M : A involved in the 
associated abstraction theorem assume the univalence axiom. 

We can now rephrase the abstraction theorem for univalent parametricity. 
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(£, £, £R) EE Be 


(UPARAMVAR) 


UPARAMSORT 
FF, Oy ~ eat ) EFut ~ t's TR 


a 


ty 


Fu M ~ M’-: Mp ESky, Nw~ N' NR 
EE, MN w~ M'N! Mp NN' Ne 


(UPARAMAPP) 


EFLAn A’ | AR Ex ~Ê g e erR Fu M~ M MrR 
E Fa àz: A.M ~ do’: A. M' +> Azz oR. MR 


(UPARAMLAM) 


Eby An A © Ar Eang v crtuBr~ B ~ Br 
Eh, Hx: A.B ~ Hx: A.B! -: ph Ar Br 


(UPARAaMPI) 


Fig. 4: UPARAM: univalent parametricity rules 


Theorem 5 (Univalent abstraction theorem). 


roZ PEM:A E M~ M © Mp EZF ANA Ap 
TEM':A’ and EZ Fau Mr : rel( Ag) M M' 


Proof. By induction on the derivation of £ Fuy M ~ M' ` Mp. 


Remark 3. In Theorem [5] rel(Ap) is a term of type A > A’ > O. Indeed: 


PeA:O, ERANA e Ar CDE 
TF, Ar: rel(py'') A A’ 


a 


entails Ag has type 
rel(py;') AA’ =a AA’ 
= XR : A > A’ —> O. IsUmap(R) x IsUmap(R7"). 


4.3 Annotated type theory 


We are now ready to generalize the relational interpretation of types provided by 
the univalent parametricity translation, so as to allow for interpreting sorts with 
instances of weaker structures than equivalence. For this purpose, we introduce 
a variant CC} of CC,, where each universe is annotated with a label indicating 
the structure available on its relational interpretation. Recall from Section 
that we have used annotations a € A to identify the different structures of 
the lattice disassembling type equivalence: these are the labels annotating sorts 
of CC} , so that if A has type 11%, then the associated relation Ar has type 


w ? 


q% A A’. The syntax of CC; is thus: 


M,N, A,B € Tocs "= OP |£ | M N | Av: A.M |r: A.B 
a € A= {0,1, 2a, 2b,3,4 ieN 
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Before completing the actual formal definition of the TROCQ proof transfer 
framework, let us informally illustrate how these annotations shall drive the 
interpretation of terms, and in particular, of a dependent product Ix: A. B. In 
this case, before translating B, three terms representing the bound variable z, 
its translation x’, and the parametricity witness xp are added to the context. 
The type of rp is rel( Apr) x x’ where Ap is the parametricity witness relating A 
to its translation A’. The role of annotation a on the sort typing type A is thus 
to to govern the amount of information available in witness xr, by determining 
the type of Ar. This intent is reflected in the typing rules of CC} , which rely 
on the definition of the loci Dg, D_, and Dz, introduced in 

Contexts are defined as usual, but typing terms in CC requires defining 
a subtyping relation x, defined by the rules of Figure |5| The typing rules of 
CC} are available in Figure |6| and follow standard presentations [6]. The = 
relation in the (SUBCONV) rule is the conversion relation, defined as the closure 
of a-equivalence and f-reduction. The two types of judgment in CC} are thus: 


rF,AXB and re M:A 


where M, A and B are terms in CC} and T is a context in COY. 


rT- A:K PH, B:K A=B a>ß i<j 
(SuBConv) + 
TK, A%B freee g 


(SuBSoRT) 


SO} 


TH M'N:K  PRiM<M’ 
TF MN&MN 


(SUBAPP) 


T,z: A}, M <M’ 
TF} Ar: A.M =<d2: A.M 


(SuBLAM) 


Pry Ha: A.B: 0; TAA XA T,a: A’ bi, BB’ 
IH, He: A.B g Hx: A.B 


(SUBP1) 


K := O; | Hx: A.K 


Fig. 5: Subtyping rules for CC 


Due to space constraints, we omit the direct proof that CC; is a conservative 
extension over C'C,,. It goes by defining an erasure function for terms |- | : 
Toot — Toc,, and the associated erasure function for contexts. 


4.4 The TROCQ calculus 


The final stage of the announced generalization consists in building an analogue 
to the parametricity translations available in pure type systems, but for the 
annotated type theory of § [4.3] This analogue is geared towards proof transfer, 
as discussed in § 2.1] and therefore designed to synthesize the output of the 
translation from its input, rather than to check that certain pairs of terms are 
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PriM:A rr, AxXB : D 
+ * (Conv?) Eo iai (SORT?) 


TFiM:B re oF: fa 


(x, A) Er Dry (vant) Pr,iA:0i x ¢ Var(I’) 


+) 
Eria:A T, x: AF4 


(CONTEXT 
r, M:Hx:A.B reL N:A is TI,a:AtiM:B 
(APP™) 


(Lam?) 
rH MN: Bj|z:= N] Try Aàz: AM :Hzx:A. B 


rH A:OF TrH4B:O? D(y)=(a,8) 
r- A>B:0O7 


. 


(ARROW' ) 


PH, A:O% T,æ:AF}B:O? Duly) = (a,8) 
Thy Wa: A.B:O? 


Fig. 6: Typing rules for CC 


in relation. However, splitting up the interpretation of universes into a lattice of 
possible relation structures means that the source term of the translation is not 
enough to characterize the desired output: the translation needs to be informed 
with some extra information about the expected outcome of the translation. In 
the TROCQ calculus, this extra information is a type of CCP. 

We thus define TROCQ contexts as lists of quadruples: 


A:=e|A,t@Anz'-: gr where AE Toot, 
and introduce a conversion function y from TROCQ contexts to CC contexts: 


ye) = € 
ALQA | te) = 7A), r: A 


Now, a TROCQ judgment is a 4-ary relation of the form AR MQA ~ 
M' `; Mr, which is read in context A, term M of annotated type A translates 
to term M’, because Mp and Mp is called a parametricity witness. TROCQ judg- 
ments are defined by the rules of Figure [7| This definition involves a weakening 
function for parametricity witnesses, defined as follows. 


Definition 9. For all p,q € {0,1,2a,25,3,4}, such that p > q, we define map 
Li: Mp — Mq, which forgets the fields from class M, that are not in Mg. 

For all a,8 € A, such that a > B, function Wg: Be AB+> BAB is 
defined by: 


WE” (R, M”, M") := (R, |? M°, |" MO). 


The weakening function on parametricity witnesses is defined on Figure [8| by 
extending function ||} to all relevant pairs of types of CC% , ie., T is defined 
for T,U € Tog+ as soon as T 3U. 
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D 


(a, 8) 
2 @ 


z z (TROCQSORT) 
ipi Y ~ Po; 


(A) 
T 


=D 


T',IR)EA 
bir @Anaw 


aE (TROCQVAR) 


-N 


AtiN@Aw N’ 
f £ (TROCQAPP) 


Mr N N' Ne 


AH M @Hz:A.B ~ M'-: Mp 
Ali M N @Bjẹe:=N| ~v M N -- 


AR AQD? ~ A AR 
Ajt@Ana'-: erR MOB ~ M 


Ak, àz: A.M @ x2: A.B ~v £: A’. M’ 


a, B) = D (8) 
< Ar AhB@DÎ ~ B' 


ow ARB e pè, Ar Br 


- Mr 


TROCQLAM 
: ae 2 ) 


ARAD? ~ A’ 
AF A>B@ 


z (TROCQARROW) 


A 
`- ER 
ô 
? ~ Ia’ 


H A@ DO? ~ A’ 
+, B @ DÊ ~ B' 
: A’. B’ 


. AR 
- Br 
-- py Ar Br 


(a, 8) = Dr (ô) 
ATOAN az’ 


F: Hx: A.B @ 


(TROc@PI) 


A 


+, M@Aw~ M’-: Me 
AtiM@Bw M' 


A y(A) Fy AX 


(TRocQConv) 
3 Mr 


Fig. 7: TROCQ rules 


An abstraction theorem relates TROCQ judgments and typing in CC; . 


Theorem 6 (TROCQ abstraction theorem). 


y(A)F+  yA)F+M:A 
Aki M@Aw~M'-: Mp At, A@O%~ A’ e Ap 
(A) Fy M’: A’ and y(A)F4 Mr: rel( Ag) M M’ 


Proof. By induction on derivation AF; M @ A ~ M’ ` 


Mp. 


Note that type A in the typing hypothesis y(A) F+ M : A of the abstraction 
theorem is exactly the extra information passed to the translation. The latter 
can thus also be seen as an inference algorithm, which infers annotations for the 
output of the translation from that of the input. 


Herat l2), we have Fy 


“Q 


Remark 4. Since by definition of p= ~ 
Frp als by applying some ed y(A)F, A: O7, we get: 
y(A)F, A: 07 At, A@O% ~ A’: AR 
(A) F4 Ap: rel(pe?) A A' 
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jetta UÈ tr anu NrR:= (4, MM’ Ne 
Az:A.B # z:=M] 
azap M M Nr := I =M'] Nr 
Tx:A.B B A’ A 
Tx:A'. B! Mr := Ax a TR. Jo (Mr £ a’ di zr)) Yai Mr = Mr 


Fig.8: Weakening of parametricity witnesses 


a 


Now by the same definition, for any 8 € A, rel(p&f) = m®, hence 7(A) + Ag : 


a% A A’, as expected by the type annotation A : O® in the premise of the rule. 


Remark 5. BY applying the Remark |4] [4] with H+ O° : OÊ, we indeed obtain 
that F4} p%? : mô % as expected, provided that (a, 8) € Do. 


4.5 Constants 


Concrete applications require extending TROCQ with constants. Constants are 
similar to variables, except that they are stored in a global context instead of a 
typing context. A crucial difference though is that a constant may be assigned 
several different annotated types in CC? . 

Consider for example, a constant list, standing for the type of polymorphic 
lists. As list A is the type of lists with elements of type A, it can be annotated 
with type O% > O°% for any a € A. 

Every constant declared in the global environment has an associated collec- 
tion of possible annotated types Te C Toot: We require that all the annotated 
types of a same constant share the same erasure in COy, i.e., Vc, VA, VB, A,B € 
Te =>|A| =|B| . For example, Tiis, = {0° > O% | a € A}. 

In addition, we provide translations D,(A) for each possible annotated type 
A of each constant c in the global context. For example, Drise (0 — 0) is 
equal to (list, AA A’ Apr. (List.Al112 Apr, List.map (map Apr))), where rela- 
tion List.A112 Ap relates lists of the same length, whose elements are pair-wise 
related via Ar, List .map is the usual map function on lists and map Ar : A > A’ 
extracts the map projection of the record Ap of type B9) A A! = DR.A > A’. 
Part of these translations can be generated automatically by weakening. 

We describe in Figure g the additional rules for constants in CC} and 
TROCQ. Note that for an input term featuring constants, an unfortunate choice 
of annotation may lead to a stuck translation. 


a 


D.(A) = (d'cr) 
AkFc@Ancd | cr 


cEC AET: 


2) 
Tre:A 


(Const 


(TRocQConsT) 


Fig.9: Additional constant rules for CC and TROCQ 


We describe in Figure p] the additional rules for constants in COF and 
TROCQ. Note that for an input term featuring constants, an unfortunate choice 
of annotation may lead to a stuck translation. 
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5 Implementation and applications 


The TROCQ plugin [I3] turns the material presented in Section [4]into an actual 
tactic, called trocq , for automating proof transfer in Coq. This tactic synthe- 
sizes a new goal from the current one, as well as a proof that the former implies 
the latter. User-defined relations between constants, registered via specific ver- 
nacular commands, inform this synthesis. The core of the plugin implements 
each rule of the TROCQ calculus in the Elpi meta-programming language [I7[31], 
on top of Coq libraries formalizing the contents of Section |3| In the logic pro- 
gramming paradigm of Elpi, each rule of Figure [7] translates gracefully into a 
corresponding AProlog predicate, making the corresponding source code very 
close to the presentation of However, the TROCQ plugin also implements a 
much less straightforward annotation inference algorithm, so as to hide the man- 
agement of sort annotations to Coq users completely. This section illustrates the 
usage of the trocq tactic on various concrete examples. 


5.1 Isomorphisms 
Bitvectors Here are two possible encodings of bitvectors in Coq: 


bounded_nat (k : nat) 


= {n : nat & n < pow 2 k}. (* n < 27k *) 
bitvector (k : nat) := Vec 


tor.t Bool k. (* size k vectors of booleans *) 


We can prove that these representations are equivalent by combining two proofs 
by transitivity: the proof that bounded_nat k is related to bitvector k for a 
given k, and the proof that Vector.t is related to itself. We also make use of 
the equivalence relations natR and boolR , which respectively relate type nat 
and Bool with themselves: 


Rk : V (k : nat), Param44.Rel (bounded_nat k) (bitvector k) 
vecR : V (A A' : Type) (AR : Param44.Rel A A') (k k' : nat) 
(kR : natR k k'), Param44.Rel (Vector.t A k) (Vector.t A' k') 
(* equivalence between types (bounded_nat k) and (bitvector k') *) 
bvR : V (k k' : nat) kR natR k k'), 
Param44.Rel (bounded_nat k) (bitvector k') 
(* informing Trocq with these equivalences +*) 
Trocq Use vecR natR boolR bvR. 


Now, suppose we would like to transfer the following result from the bounded 
natural numbers to the vector-based encoding: 


V (k : nat) (v : bounded_nat k) (i : nat) (b : Bool), i < k -> 
get (set vib) i=b 


As this goal involves get and set operations on bitvectors, and the order and 


equality relations on type nat , we inform TROCQ with the associated operations 
getv and setv on the vector encoding. E.g., for get and getv , we prove: 
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getR : V (k k' : nat) (kR : natR k k') 
(v : bounded_nat k) (v' : bitvector k') (vR : bvR k k' KR v v') 
(n n' : nat) (nR : natR n n'), boolR (get v n) (getv v' n') 


We can now use proof transfer from bitvectors to bounded natural numbers: 


Trocq Use eqR 1tR. (* where eq and lt are translated to themselves *) 
Trocq Use getR setR. 


Lemma setBitGetSame : V (k : nat) (v : bitvector K), 
V (i : nat) (b : Bool), i < k -> getv (setv v i b) i= b. 
Proof. trocq. exact setBitGetSame'. (* same lemma, on bitvector *) Qed. 


Induction principle on integers. Recall that the problem from Example [L] 
is to obtain the following elimination scheme, from that available on type N: 


N_ind : YP : N> O, PO > Yn:N, Pn >P (Sy n)) 37 Vn: N, Pn 


We first inform TROCQ that N and N are isomorphic, by providing proofs 
that the two conversions ty: N —> N and Jn: N —> N are mutual inverses. 
Using lemma Iso.toParam , we can deduce an equivalence Param44.Rel NN, 
i.e., B+” N N. We also prove and register that zeros and successors are related: 


Definition NR : Param44.Rel NN := ... 

Lemma Or s rel Nr On On. 

Lemma SR : V mn, rel NR mn —> rel Nr (Sn m) (Sy n). 
Trocq Use Nr Or Sr. 


TROCQ is now able to generate, prove and apply the desired implication: 


Lemma N_ind: VP : N> O, POr ~ Wn: WN, Pn > P (Sy n)) > 
Wein 2 iN, JP it, 

Proof. 
trocq. (* in the goal, N, Oy, Sy have been replaced by N, On, Sn *) 
exact nat_rect. 

Qed. 


Inspecting this proof confirms that only information up to level (24,3) has been 
extracted from the equivalence proof Np. It is thus possible to run the exact 
proof transfer, but with a weaker relation, as illustrated in the |code| for an 
abstract type J with a zero and a successor constants, and a retraction N > I. 


5.2 Sections, retractions 


Modular arithmetic A typical application of modular arithmetic is to 
show that some statement on Z can be reduced to statments on Z/pZ Let us 
show how TROCQ can synthesize and prove the following implication: 
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Lemma IntRedModZp : (forall (mn p : Zmodp), (m = n * n)/Zmodp -> m = 0) 
-> forall (mn p : int), (m = n * n)%int -> (m == 0)/int. 
Proof. intro Hyp. trocq; simpl. now apply Hyp. Qed. 


where scope %Zmodp is for the usual product and zero on type Zmodp , for Z/pZ, 


scope %int for those on type int , for Z, and == is an equality test modulo 
p on type int . Observe that the implication deduces a lemma on Z from its 
modular analogues. Type Zmodp and int are obviously not equivalent, but a 
retraction is actually enough for this proof transfer. We have: 


modp : int -> Zmodp 

reprp : Zmodp -> int 

reprpK : V (x : Zmodp), modp (reprp x) = x 
Rp : Param42a.Rel int Zmodp 


where Rp, (a proof that m?) Z Z/pZ), is obtained from reprpK via lemma 


SplitSurj.toParam. Proving lemma IntRedModZp by trocq now just requires 
relating the respective zeroes, multiplications, and equalities of the two types: 


RO : Rp O4int 0%Zmodp. 
Rmul : V (m : int) (x : Zmodp) (xR : Rp m x) 
(n : int) (y : Zmodp) (yR : Rp n y), Rp (m * n)/int (x * y)/Zmodp. 
Reqmodp : V (m : int) (x : Zmodp), Rp m x -> 
V (n : int) (y : Zmodp), Rp n y -> Param01.Rel (m == n) (x = y). 
Trocq Use Rp Rmul RO Reqmodp. (* informing Trocq with these relations *) 


where Param01.Rel P Q ( Param01.Rel is the Coq name for @°)) is Q -> P. 
Note that by definition of the relation given by Rp , lemma Rmul amounts to: 


V (mn: int), modp (m * n)%int = (modp m * modp n)%Zmodp. 


Summable sequences. Example [2|involves two instances of subtypes: type 
R>o extends a type R>o of positive real numbers with an abstract element and 
type summable is for provably convergent sequences of positive real numbers: 


Inductive Rso : Type := Fin : Rso > Rso | Inf : Rso. 
Definition seqr,, := nat + Rso. Definition seqg., '= nat > Rso. 


Record summable := {to_seq :> sedr moea isSummable to_seq}. 


Type Ryo and R>o are related at level (4,2): e.g., truncate : Rso -> Rso 


provides a partial inverse to the Fin injection by sending the extra Inf to zero. 
Types summable and seqg_ are also related at level (4, 2,), via the relation: 


Definition Rrseq (u : summable) (v : segg) : Type := seq_extend u = v. 


where seq_extend transforms a summable sequence into a sequence of extended 


positive reals in the obvious way. Now Xg, u : Rso is the sum of a sequence 
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u : seq; of extended positive reals, and we also define the sum of a sequence 
Rs 


of positive reals, as a positive real, again by defaulting infinite sums to zero. For 
the purpose of the example, we only do so for summable sequences: 


Definition Xip,, (u : summable) : Rso := truncate (ZR, (seq_extend u)). 


These two notions of sums are related via Rrseq , and so are the respective 
additions of positive (resp. extended positive) reals and the respective pointwise 
additions of sequences. Once TROCQ is informed of these relations, the tactic is 
able to transfer the statement from the much easier variant on extended reals: 


(* relating type R>o and R>o and their respective equalities *) 
Trocq Use ParamOi_paths Param42b_nnR. 

(* relating sequence types, sums, addition, addition of sequences *) 
Trocq Use Param4a_rseq R_sum_xnnR R_add_xnnR seq_nnR_add. 


Lemma sum_xnnR_add : V (u v : Rso), XR (u + v) = Ryo u + ZR o v. 


Proof.(...) Qed. (* easy, as no convergence proof is needed *) 


Lemma sum_nnR_add : V (uv: Rso), Xr o (U + v) = YR, U + Ley, V- 
Proof. trocq; exact sum_xnnR_add. Qed. a = 


5.3 Polymorphic, dependent types 


Polymorphic parameters Suppose we want to transfer a goal involving 
lists along an equivalence between the types of the values contained in the lists. 
We first prove that the list type former is equivalent to itself, and register this 
fact: 


listR : V A A' (AR : Param44.Rel A A'), Param44.Rel (list A) (list A') 
Trocq Use listR. 


We also need to relate with themselves all operations on type list involved 
in the goal, including constructors, and to register these facts, before TROCQ is 
able to transfer any goal, e.g., about list N to its analogue on list N. 
Note that lemma listR requires an equivalence between its parameters. If 
this does not hold, as in the case of type int and Zmodp from Section zy 
weakening does not apply here. In order to avoid stuc 
translation, we need several versions of listR to cover all cases. For instance, the 
following lemma is required for proof transfers from list Zmodp to list int. 


listR2a4 : V A A' (AR : Param2a4.Rel A A'), 
Param2a4.Rel (list A) (list A'). 


Dependent and polymorphic types (code), Fixed-size vectors can be represented 
by iterated tuples, an alternative to the inductive type Vector.t , from Coq’s 
standard library, as follows. 
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Definition tuple (A : Type) : nat -> Type := fix F n := 
match n with 0 => Unit | S n' => F n' * A end. 


On the following mockup example, TROCQ transfers a lemma on Vector.t to 
its analogue on tuple , about a function head : V An, tuple A (S n) -> A, 


and a function const : V A, A -> V n, tuple A n creating a constant vector, 
and simultaneously refines integers into the integers modulo p from Section [5.1] 


Lemma head_cst (n : nat) (i : int): Vector.hd (Vector.const i (S n)) = i. 
Proof. destruct n; simpl; reflexivity. Qed. (* easy proof *) 


Lemma head_cst' : V (n : nat) (z : Zmodp), head (const z (S n)) = z. 
Proof. trocq. exact head_const. Qed. 


This automated proof only requires proving (and registering) that head and 
const are related to their analogue Vector.hd and Vector.const , from Coq’s 
standard library. Note that the proof uses the equivalence between Vector.t 
and tuple but only requires a retraction between parameter types. 


6 Conclusion 


The TROCQ framework can be seen as a generalization of the univalent para- 
metricity translation [30]. It allows for weaker relations than equivalence, thanks 
to a fine-grained control of the data propagated by the translation. This analysis 
is enabled by skolemizing the usual symmetrical presentation of equivalence, so 
as to expose the data, and by introducing a hierarchy of algebraic structures for 
relations. This scrutiny allows in particular to get rid of the univalence axiom 
for a larger class of equivalence proofs [29], and to deal with refinement relations 
for arbitrary terms, unlike the CoqEAL library [14]. Altenkirch and Kaposi al- 
ready proposed a symmetrical, skolemized phrasing of type equivalence [8], but 
for different purposes. In particular, they did not study the resulting hierarchy 
of structures. Definition [4] however slightly differs from theirs: by reducing the 
amount of transport involved, it eases formal proofs significantly in practice, 
both in the internal library of TROCQ and for end-users of the tactic. 

The concrete output of this work is a plugin [I3] that consists of about 
3000 1. of original Coq proofs and 1200 1. of meta-programming, in the Elpi meta- 
language, excluding white lines and comments. This plugin goes beyond the state 
of the art in two ways. First, it demonstrates that a single implementation of 
this parametricity framework covers the core features of several existing other 
tactics, for refinements [14[16], generalized rewriting |28], and proof transfer [80]. 
Second, it addresses use cases, such as Example |2| that are beyond the skills of 
any existing tool in any proof assistant based on type theory. The prototype 
plugin arguably needs an improved user interface so as to reach the maturity 
of some of the aforementioned existing tactics. It would also benefit from an 
automated generation of equivalence proofs, such as Pumpkin Pi [27]. 
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TROCQ [5] is both the name of a calculus, describing a parametricity frame- 
work, and of a Coq plugin [6] that provides tactics for performing representation 
changes in goals, as well as vernacular commands for specifying the expected 
translations. More precisely, from an initial goal of type G, the trocq tactic 


simultaneously computes using the TROCQ calculus a translation G' anda 
justification w : G' -> G. If successful, the user is thus left with proving G' . 

The plugin orchestrates this double synthesis, by assembling existing build- 
ing blocks known to the tactic, in the course of a linear traversal of the input 
term G. These building blocks are of two natures. First, the actual rules of 
the parametricity framework |5| govern the synthesis rule attached to each term 
construction of C'C,,. The other nature of building blocks is the collection of 
registered pairs of user-defined constants. These pairs come equipped with a 
witness of their relatedness at some level, a data registered via the Trocq Use 
command. When the linear traversal of the input term hits a constant, it queries 
the database registering these user-defined relations, looking for the correspond- 
ing constant and witness to be used in the synthesis. 

The TROCQ plugin is implemented in Elpi [9]: a dialect of AProlog which 
can be used as a meta-language for Coq, through the Coq-Elpi plugin. The 
latter encodes Coq terms in higher-order abstract syntax (HOAS) which pro- 
vides native support for bound variables, complemented by a comprehensive 
API (typechecking, elaboration, interacting with the global environment, etc). 


1 


Let us translate the induction principle associated with type nat , the unary 
representation of N, to type N , the binary one. Types nat and N are equivalent 
and we use the Trocq Use command to register such pairs of related types: 


Definition RN : (N <=> nat)%P := Iso.toParamSym N.of_nat_iso. 
Trocq Use RN. (* registering a pair of related types *) 


Proof RN coerces to a relation of type N -> nat -> Type , and we also register 
proofs that it relates the respective zero and successor constants of these types: 
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Definition RNO : RN OY%N O%nat. Proof. done. Qed. 
Definition RNS mn : RN mn -> RN (N.succ m) (S n). Proof. by case. Qed. 
Trocq Use RNO. Trocq Use RNS. (* registering related constants *) 


We can now use tactic trocq to prove a useful induction principle on type N: 


Lemma N_Srec : forall (P : N -> Type), P O%N -> 
(forall n, P n -> P (N.succ n)) -> forall n, P n. 
Proof. trocq. (* replaces N by nat in the goal *) exact nat_rect. Qed. 


Inspecting the proof term actually reveals that univalence was not needed in the 
proof of N_Srec . The example directory of the artifact provides more examples, 
for weaker relations than equivalences, and beyond representation independence. 


2 Architecture of the plugin 


A TROCQ parametricity sequent At; M @ A ~ M’ -v Mp expresses that 
terms M and M' are related at type A with witness Mp in context A. Unlike 
standard, unequivocal parametricity translations, each construct of CCy, gives 
rise to a family of possible synthesis rules, indexed by annotations on M and A. 


Encoding CC% . To implement the annotation calculus COF , we just annotate 
Coq’s sort Type with a pair (n,m) using convertible synonyms (PType n m) , 


where PType := fun (_ _ : label) => Type. The two thrown-away arguments 
code for the annotation. In the course of the synthesis, arguments of certain 
occurrences of PType are left as holes and filled by a constraint solving algorithm. 


Synthesis. The logic programming paradigm on which Elpi is based, is ideal to 
implement algorithms expressed as inference rules, as each rule can be associated 
to an instance of a predicate. The linear traversal of the input term at the core 
of the TROCQ plugin is operated by the predicate param, of arity 4, where 
param X T X' XR stands for the parametricity sequent Af, 7 QT ~ x's xR 
for a certain context A. In this sequent, x and T are input values (initially, 
the source goal and the annotated sort O0), and the synthesized term z’ and 
witness xp are outputs. Each construct of CC,, leads to one instance of the 
predicate. As an example, let us inspect the instance of the param predicate 
for dependent products, which the rule TROCQPI of the TROCQ 
calculus. For the sake of readability, we removed lines related to logs, pretty- 
printing, and fresh universe instance generation. The head of the predicate is: 


param (prod N A B) (app [pglobal (const PType) _, M1, M2]) Prod' ProdR :- 
param.db.ptype PType, !, 
cstr.univ-link C Mi M2, 


which matches an input term Hx : A. B and our Coq encoding of its annotated 
type O12) Then, following the hypotheses in the inference rule, the predicate 
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computes the prescribed annotation (C4, CB) = D(C), and does two recursive 
calls on A and B with classes C4 and Cpg: 


cstr.dep-pi C CA CB, 

cstr.univ-link CA M1A M2A, 

param A (app [pglobal (const PType) _, M1A, M2A]) A' AR, 

cstr.univ-link CB M1B M2B, 

TB = app [pglobal (const PType) _, M1B, M2B], 

@annot-pi-decl N A a\ pi a' aR\ param.store a A a' aR => 
param (B a) TB (B' a') (BR a a' aR), 


The last step (omitted in the above snippet) is to build the output proof 
p9 Ar Br. As the axioms (univalence, functional extensionality) that might be 
involved in some proofs are not assumed globally, they are used as an additional 
argument albeit only in the building blocks that require them. Therefore, we 
check whether the requested rule requires the addition of an axiom to the list 
of arguments (in the case of the dependent product, function extensionality). If 
this axiom is not present in the context at the time of calling this part of the 
code, the tactic rightfully fails, because the translation is impossible. 


Exploiting symmetries. TROCQ provides several distinct rules per language con- 
struct (such as JI) and per relation structure among the 36 items in the hierarchy: 
for a same construct, these rules differ by the annotations required on the input 
of the rule, and by the structure of the relation relating the input term and the 
synthesized one. For each such rule, a Coq function provides the corresponding 
rule building block. Making the most of symmetries, the 495 rule building blocks 
are generated by meta-programming from only 9 manually defined ones. 


Handling of constants. Finally, the traversal of the input term collects constraints 
on the annotations, as multiple valid solutions might exists: for instance, an 
implication might be obtained from weakening an equivalence. The algorithm 
strives to minimize the requirements on the user-defined building blocks, which 
also amounts to minimizing the dependency on axioms. This inference procedure 
is formalized as a finite domain constraint solving problem, and implemented 
using Constraint Handling Rules (CHR) language [IO], as available in Elpi. 


3 Related work 


In the context of type theory, Barthe and Pons [3] already noticed that the 
computational content of type isomorphisms can serve proof transfer. The first 
implementation report of a tool based on this idea appeared soon after [I6]. 
Implemented in a meta-language and based on proof rewriting, this heuristic 
translation produced a candidate proof term from an existing proof term, with no 
formal guarantee, not even that of being well-typed. Generalized rewriting [17], 
which generalizes setoid rewriting to preorders, is also a variant of proof transfer, 
albeit within the same type. As such, it allows in particular rewriting under 
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binders. The restriction to homogeneous relations however excludes more general 
instances of proof transfer, e.g., , datatype representation change and quasi- 
PERs (QPER, or zig-zag complete relations) [13], essentially heterogeneous. 

The other proof transfer methods we are aware of all address the case of 
heterogeneous relations. Incidentally, they can thus also be used for the homo- 
geneous case, and thus for generalized rewriting, although this special case is 
seldom emphasized. The Coq Effective Algebra Library (CoqEAL) [8]7] and the 
Isabelle/HOL transfer package [14J1112[15], pioneered the use of parametricity- 
based methods for proof transfer, motivated by the refinement of proof-oriented 
data-structures to computation-oriented counterparts. Together with a subse- 
quent generalization of the CoqEAL approach [21], these tools address the case 
of a transfer between a subtype of a certain type A and a quotient of a certain 
type B, i.e., the case of a trivial QPER in which the zig-zag morphism is a 
surjection from A to B. 

Modern approaches to proof transfer rely on univalence, either as an axiom, 
in the case of univalent parametricity [I9] or as a computing primitive [2]. Key 
ingredients of univalent parametricity were already present in earlier seemingly 
unpublished work [i], implemented using an ancestor of the MetaCogq library [18]. 

The columns of Table [lists these tools in chronological order, and indicates 
when the features listed as lines are available (v), not available (X) or only 
partially available (2). Transfer along heterogeneous relations, and while the 
oldest tool operates via a monolithic translation of an input proof term, others 
rather prove an internal implication lemma. Anticipation refers to the need 
to define a dedicated structure for the signature to be transported. Binders (V) 


can prevent transfer, as well as dependent types, which require univalence. 
TRocQ 

Heterogen. rel.| Y | X | vy y Viv y v y 

Internal XILI v v v v v y 

No anticipation| V |V | vV v V| {s X v y 

Under V VIJ | xXx v V| s v v y 

Dep. types VIX]IX X x v v x y 

Univalence-free| / |V | vV y v x x v y 

Subrelations | X IZ | X x x x x x P 

QERs x|2|@2 2? 2| X J x 2 

Subtyping XIX), Z Z 2 x x 2 2 
Coq|Coq]Coq]Isabelle/ HOL|}Coq|HoT T|CubicalAgda|Coq|Coq or HoT T 

Table 1. Comparison of proof transfer automation devices 
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Abstract. Equality is at the heart of dependent type theory, as it 
plays a fundamental role in specifications and mathematical reasoning. 
The standard way to handle it in mainstream proof assistants such as 
AGDA, LEAN or CoQ is based on Martin-L6f’s identity type, which comes 
straight out of the ’70s—its elegance and simplicity have earned it a long- 
standing use, despite a major discrepancy with traditional mathematical 
formulations: it does not satisfy any extensionality principles. Recently, 
the work on observational equality has regained interest as a new way 
to encode equality in proof assistants that support a universe of defini- 
tionally proof-irrelevant propositions; however it has yet to be integrated 
in any major proof assistant, because it is not fully compatible with an- 
other important feature of type theory: indexed inductive types. In this 
paper, we propose a systematic integration of indexed inductive types 
with an observational equality, and show that this integration can only 
be completely satisfactory if the observational equality satisfies the com- 
putational rule of Martin-Lof’s identity type. The second contribution 
of this paper is a formal proof that this additional computation rule, 
although not present in previous works on observational equality, can 
be integrated to the system without compromising the decidability of 
conversion. 


1 Introduction 


Equality is a fundamental part of mathematical reasoning and formal specifica- 
tion, and it is therefore at the heart of any proof assistant. In Martin-Lof Type 
Theory [I7], it is expressed with the identity type, which is characterized by two 
elegantly simple principles: equality is reflexive, and an equality proof cannot be 
told apart from a proof by reflexivity from inside the theory (this is known as 
the J rule, or transport). From these two principles, it is possible to show that 
the identity type is symmetric, transitive, and even that it satisfies all the laws 
of a higher groupoid [9]. This Martin-Lof identity type serves as the base for the 
interpretation of equality in the proof assistants AGDA, COQ and LEAN. 

Unfortunately, this alluring formulation suffers from serious drawbacks: it 
is impossible to prove extensionality principles for the identity type, and the 
uniform definition makes it difficult to integrate types for which the equality 
relation is specified ad hoc, such as quotient types. In practice however, quotient 
types and extensionality principles are pervasive in mathematics; in particular 
the principle of function extensionality—which says that two functions are equal 
© The Author(s) 2024 
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when they are equal at every point—is taken for granted by most mathematicians 
and computer scientists. While it is possible to postulate those extensionality 
principles as axioms, this comes at the price of blocking computation for the 
transport operator. 


In order to improve this sorry state of affairs, the most natural solution is to 
go back at the root of the problem and replace the dysfunctional identity type 
with a better-behaved alternative, for instance with the observational equality of 
[6]. Unlike Martin-Léf’s identity type, the observational equality has a specific 
definition for each type former, so that the definition of quotient types becomes 
straightforward and extensionality principles can be added without too much 
trouble. There is some amount of freedom in the precise implementation of this 
idea; in this work we will build upon the recently proposed system CC°?* [23]. 
Thus in CC®, every type A is equipped with an observational equality t ~4 u, 
defined as a proof-irrelevant proposition with a reflexivity proof written ref1. 
The system also provides a primitive type-casting operator cast A B e t that 
can be used to coerce a term t of type A to the type B, given a proof e that 
these two types are observationally equal. This type-casting operator can then be 
used to derive the J rule for the observational equality, which ensures that it is a 
reasonable notion of equality and thus a good candidate for an implementation 
in a proof assistant. 


But even though the idea has been around for almost two decades, none of 
the mainstream proof assistants supports the observational equality as of 2023. 
One possible reason is that it is not so easy to integrate it with the sophisticated 
type systems of modern proof assistants such as AGDA, COQ and LEAN, and in 
particular with their system of inductive definitions. Thus, the first contribution 
of this work is to extend CC? with the indexed inductive types of Coq and 
their computation rules, resulting in a system that we call CIC°™, We do this 
by exhibiting a general mechanism that distinguishes casts on parameters which 
can be propagated in the arguments of constructors, and casts on indices which 
are blocked and create new normal forms. Therefore, the indexed inductive types 
of CIC?™ can contain more inhabitants than their counterparts in CIC; they only 
coincide when indices are taken in a type with decidable equality (e.g., natural 
numbers in the case of vectors). Additionally, in order to properly handle the 
propagation of the casts, we give a general account of which equalities can be 
deduced from an observational equality between two instances J # and I y of the 
same inductive type. The correct rule is slightly more subtle than the injectivity 
of type formers—in particular, when a parameter of J is not used in the definition 
of the constructors of the inductive type, the equality of the two instances does 
not imply the equality of the parameter. 


Our treatment of indices is based on Fordism, a technique that makes use 
of the equality type to reduce indexed inductive definitions to parametrized 
definitions. Its usefulness in an observational context has already been noted in 
[5], but it should be emphasized that the computational faithfulness of Fordism 
crucially relies on the computation rule for transport, which is weakened in the 
system of [23]: the encoding of transport via the cast operator does not compute 
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on reflexivity proofs as well as the eliminator of Martin-Lof’s identity type. More 
precisely, in CC°" it is possible to prove that the propositional equality 


cast A A (refl A)t ~a t 


is inhabited for any type A, but the equality does not hold definitionally. This 
seemingly harmless difference implies that the observational equality of CC9™S 
cannot be used to encode the indexed definitions of CIC. This issue is well-known, 
and previous work [22] introduced an auxiliary equality defined as a quotient 
type to recover this computation rule at the cost of the definitional uniqueness 
of identity proofs (UIP), in a way that is reminiscent of Swan’s identity type 
in cubical type theories [25]. In our new system CIC°S, we go a step further 
and show that the tension can be fully resolved by using the idea of [4] that 
under certain conditions, definitional equalities that hold on closed terms can be 
extended to open terms by adding new definitional equations on neutral terms. 
Indeed, the failure of the computation rule for transport only occurs on open 
terms, since cast computes on types and terms instead of the equality proof. For 
instance, in the case of the identity cast on natural numbers it is already true 
in CC® that cast N N (refl N) 32 = 32, and similarly for any closed natural 
number—this is a direct consequence of the canonicity theorem proved in [22]. 
What is missing is the equation cast N N (ref1 N) n = n when n is a neutral 
term, in particular a variable. Thus the problem to be addressed is: 


“Can we add those new definitional equations while keeping conversion and 
type checking decidable?” 


In the case of the type of natural numbers, it is very tempting to transform 
this equation into a new reduction rule cast N N en => n. However the case 
of two neutral types A and B seems more delicate, since the corresponding rule 
cast A B e t => t should fire only when A and B are convertible, and reduction 
rules that rely on a conversion premise are still poorly understood [28I]. 
Fortunately, this is not the only way to support the desired definitional equal- 
ity. Coming back to the case of natural numbers, if n is neutral then neither n 
nor cast N N e n will trigger the reduction of an eliminator; therefore the deci- 
sion that cast N N e n = n can be deferred to equality checking after reduction, 
in the same way that one usually decides 7-equality for functions. The second 
contribution of this paper is a formal proof that this algorithm does indeed lead 
to a sound and complete decision procedure for conversion. The argument is 
formalized in AGDA, (see Section (8), following previous work on logical rela- 


tions [2]22]23}. 


Related work The first proof assistant to implement an observational equality 
was the now-defunct Epigram 2 [I9]. Although it did not have a primitive scheme 
for inductive definitions a la COQ, Epigram 2 had support for indexed W-types 
based on a fancy notion of containers, and its equality type did implement the 
computation rule on reflexivity, meaning that the user could use it to encode 
indexed definitions using Fordism. The normalization and consistency of Epi- 
gram 2 is justified with an inductive-recursive embedding into AGDA, but this 
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embedding does not account for the computation rule on reflexivity, which is 
only conjectured not to break normalization and decidability. 

In the world of cubical type theories, more attention has been paid to the 
definition of general (higher) inductive types [10]. There, the situation is com- 
plicated by the fact that transport for the cubical equality does not supports 
definitional computation on reflexivity as of today (this is known as the regu- 
larity problem), thus the Fordism encoding cannot be used straightforwardly. 
Instead, Cavallo and Harper add a fcoe constructor to their indexed inductive 
types in order to keep track of the coercions on indices, and they obtain that 
an inhabitant of an inductive type in normal form is a chain of fcoe applied to 
a canonical constructor. These inductive definitions have been implemented in 
CuBICAL AGDA [27] and have been used to develop a sizeable standard library. 


2 Observational Equality Meets CIC at Work 


The Calculus of Inductive Constructions (CIC), which is the theoretical foun- 
dation of the proof assistants COQ and LEAN, includes a powerful scheme for 
inductive definitions [21]. It supports parameters, indices and recursive defini- 
tions, but also more exotic features such as mutually defined or nested families. 
The high level of generality of this scheme allows it to subsume types as diverse 
as the natural numbers, £-types, W-types, and Martin-Lof’s identity type. If we 
are to extend Coq with an observational equality, then we need to understand 
how it interacts with these inductive definitions, and to devise suitable com- 
putation rules. While some of these rules are self-evident, others will turn out 
to be more delicate. In order to help the reader build their intuition, we study 
the observational version of three common inductive types: lists, Martin-Lof’s 
identity type and vectors. 


2.1 Lists 


We start with a brief look at the datatype of lists parametrized by an arbitrary 
type. Its definition in CoQ might look something like this: 


Inductive list (A:Type) : Type := 
| nil: list A 
| cons: A > list A > list A. 


The basic rules of the CIC already provide us with an eliminator and computation 
rules for this inductive type. In the language of COQ, these are implemented via 
a pattern-matching construction (match) and a guarded fixpoint operator (fix) 
[L]. But in an observational type theory, we need more than just the rules for 
introduction, elimination and computation—every type former should come with 
three additional ingredients: a definition of the observational equality between 
inhabitants, a definition of the observational equality between two instances of 
the type, and computation rules for cast. 

There is some leeway for the definition of the observational equality on any 
given type. In its original version and most of the subsequent literature, the 
observational equality type itself evaluates to a domain-specific equality, meaning 
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that a proof of equality between two functions is definitionally the same as a 
proof of pointwise equality [6/23]. On the other hand, it is possible to implement 
an observational type theory in which the equality type does not reduce, but 
is instead equipped with primitive operators that can be used to convert (for 
instance) a pointwise equality of functions into an equality [7]. In this paper, 
we will go with the second approach, as it turns out to be better suited for an 
implementation in COQ. 

Now, what operators should we add in the case of lists? Obviously, two lists 
should be observationally equal if and only if they are either both empty, or have 
equal heads and recursively equal tails. But as it turns out, this logical equiva- 
lence is already derivable from the induction scheme for lists and the J eliminator 
for the observational equality—just like we would prove it in plain intensional 
Martin-Lof Type Theory (MLTT). Therefore, we do not need to characterize the 
equality between lists any further. This stems from the fact that inductive types 
are free algebras, and do not need any sort of quotienting in their construction. 
The observational equality between inhabitants of the universe, on the other 
hand, does not profit from such an induction principle. Thus we add a new oper- 
ator to our theory, which takes an equality between two list types and “projects” 
out an equality between the underlying types: 


eq—list : list A ~ list B —> A~B. 


This principle is necessary, because a proof of equality between list A and 
list B should allow us to coerce a list of elements of A into a list of elements 
of B, and thus in particular it should allow us to coerce from A to B. Since this 
implication is in fact a logical equivalence (the converse direction is provable 
from the J eliminator), it does indeed fully determine the observational equality 
between list types. Finally, we need to add rules that explain how cast computes 
on lists. Unlike the computation rules for the observational equality types, these 
are very much necessary, unless we are fine with having stuck computations in 
an empty context. Here, there is only one natural choice: casting a constructor 
of list A should evaluate to the corresponding constructor of list B. 


cast (list A) (list B) e nil 
cast (list A) (list B) e (consal) 


nil 
cons (cast A B (eq—list e) a) 
(cast (list A) (list B) e l) 


Remark that in the case of a non-empty list, we need the eq—list axiom in 
order to apply cast to the head of the list. Voilà, this is all it takes for an 
observational type theory with lists. With this example under our belt, we now 
move on to a more sophisticated example. 


2.2 Indices and Fordism 


The next layer of complexity offered by the scheme of Coq is indices. Here, the 
story gets more complicated, as indexed definitions gain new inhabitants in the 
presence of the observational equality. To see this, consider Martin-L6f’s identity 
type, which is the prototypical example of an indexed inductive definition: 
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Inductive Id (A: Type) (x: A): A— Type := id_refl:Id Axx. 


In intensional type theory, it is well-known that this equality type does not satisfy 
the principle of function extensionality. But in our observational type theory, it 
turns out we can to prove that Martin-Lof’s identity type is logically equivalent 
to the observational equality (we can use the cast operator in one direction, and 
the induction principle for Id in the other direction). In particular, the principle 
of function extensionality is now provable for Id! As convenient as it might sound, 
it also implies that we can get an inhabitant of the type Id (N > N) (An.1+ 
n) (An.n + 1) in the empty context, since the two functions are extensionally 
equal. But this inhabitant cannot be definitionally equal to id_ref1, as the two 
functions are not convertible. From this, we deduce that the closed inhabitants 
of an indexed inductive type may include more than the canonical ones, i.e., 
those that can be built out of the constructors of the inductive type. 

In order to get a better grasp on these noncanonical inhabitants, we can turn 
our attention to Fordism. This technique was invented by Coquand for his work 
on the proof assistant half in the 1990s, as a way to reduce indexed inductive 
types to parametrized inductive types and an equality type. The name Fordism 
first appeared in [18], in reference to a famous quote by Henry Ford: “A customer 
can have a car painted any color he wants as long as it’s black”. Let us look at 
the construction at work on the inductive definition of vectors, which is a little 
less barebones than the inductive identity type: 


Inductive vec (A:Type) : N > Type := 
| vnil : vec AO 
| vcons : V m, A — vec Am — vec A (S m). 


Vectors are basically lists with an additional index that makes their length avail- 
able in the type, ensuring that a vector of type vec A n contains n elements. In 
order to get the forded version of vectors, we modify their definition so that the 
index becomes a parameter, and the two constructors gain a new argument: 


Inductive vecg (A:Type) (n : N) : Type := 
| vnilr : n ~n 0 —> vecr An 
| vconsr : Vm, A> vecr Am > n ~y Sm —> vecr An. 


Remark that a forded empty vector vnilg e can have a priori the type vec An 
for any n, except that e is a witness that n is equal to 0. An empty vector can 
have any size you want, as long as it’s zero! The point of Fordism is that the 
induction principle of vec can be derived for vecr, by combining the induction 
principle provided by the CIC for vecr and the eliminator of the equality: 


vec_elim (A: Type) (P : Vn: N, vecr A n — Type): 
P 0 (vnilg 0 refl) > 
(V (m : N) (a: A) (v : vecr A m), P m v — P (Sm) (vconsr (S m) m a v ref1)) > 
Y (n: N) (v : vecr An), Pnv. 
vec_elim A P Pnil Pcons n (vnilp n e) = 
cast (P 0 (vnilr 0 ref1)) (P n (vnilr n e)) (vnilap A e) Pnil. 
vec_elim A P Pnil Pcons n (vconsr n m a v e) = 
cast (P (S m) (vconsp (S m) m a v ref1)) (P n (vconsr n m a v e)) 
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(vcons,, A m a e v) (Pcons ma v (vec_elim A P Pnil Pcons m v)). 


Here, we used implicit arguments for ref1 and we used two auxiliary definitions 
vnil,, and vcons,, showing that functions preserve equalities. Furthermore, if 
the cast operator satisfies the computation rule on reflexivity, then the induction 
principle provided by the Fordism transformation satisfies the same computa- 
tion rules as the standard induction principle for indexed inductive types. Thus, 
Fordism can serve as a recipe for the implementation of indexed inductive types, 
as long as we know how to handle parametrized inductive types and have an 
equality that computes on reflexivity. 

Additionally, this transformation sheds some light on the noncanonical ele- 
ments of indexed inductive types: in CIC, the only closed proof of equality is a 
proof by reflexivity, thus the inhabitants of vecr An in the empty context be- 
have exactly like the canonical inhabitants of vec An. But in an observational 
type theory, there are many proofs of equality in the empty context (think for 
example of a proof of equality between two functions that are not convertible, 
but extensionally equal) which give rise to new elements. These elements can 
be obtained by casting a canonical inhabitant to a type with a different (but 
observationally equal) index, and they cannot be eliminated away in generall?| 


2.3 Parameters and Equalities 


Now that we know how to handle indexed types, we can revisit Martin-Lof’s 
identity type, which plays an important role in CIC. After the Fordism transfor- 
mation, its definition looks like this: 


Inductive Idr (A: Type) (x y : A) : Type := id_reflrp : x ~a y > Idr Axy. 


As we want to incorporate this type into our observational theory, we apply the 
standard recipe: we need a definition of the observational equality between in- 
habitants of Idr, a definition of the observational equality between two instances 
of Idr, and computation rules for the cast operator. The first one is easy, as 
we can prove that any two inhabitants of Idr A x y are equal: by induction, we 
only need to prove it for elements of the form id_reflg e, with e being a proof 
of x ~a y. But the observational equality is definitionally proof-irrelevant, so 
this is true by reflexivity. In other words, the principle of uniqueness of identity 
proofs (UIP) is provable for the inductive identity type in observational type 
theory, in stark contrast with MLTT or CIC. Thus, we do not need any further 
characterization of the observational equality between inhabitants of Idr. 

On the other hand, the definition of the observational equality between two 
instances of the identity type Idr A x y and Idr A’ x’ y? makes for another inter- 
esting story. From our study of lists, it might be tempting to extrapolate that 
an observational equality between two instances of a parametrized inductive 


3 In the case of vectors, it is possible to find alternative encodings that do not have 
these new canonical elements, because the equality between indices is decidable in the 
empty context. However, we aim at a systematic and uniform treatment of indexed 
inductive types, so we will not consider this option. 


282 L. Pujet and N. Tabareau 


datatype should imply an equality between the parameters, or in the special 
case of Idr, that we get the following principle: 


Idr A x y ~ Idr Bzw— J (e : A ~ B), (cast AB e x ~ z) A (castABey~w) 


This means that parametrized inductive definitions are injective functions from 
the type of parameters to the universe. Unfortunately, this idea turns out to be 
incompatible with the rules of CIC. Indeed, according to these rules the induc- 
tive equality Id A x y should live in the lowest universe, since it has only one 
constructor with no arguments. But then if A is a large type, we get an injective 
function from A into the lowest universe, which is potentially inconsistent—for 
instance, consider the following function: 


inj (X : Type > Type) := Idr (Type — Type) X X 


If the Idr type former is injective, then inj is an injection of Type > Type into 
Type, from which we can encode Russell’s paradox and derive an inconsistency 
for CIC [20]. Thus, if we really want to have this injectivity of parameters, we 
need to modify the rules of our theory so that inductive definitions are only 
allowed in a universe that is sufficiently large to accommodate their parameters. 
But this is not exactly reasonable: this would mean that we cannot abstract over 
the definition of an inductive type using COQ’s sections mechanism, since sec- 
tion variables are translated to inductive parameters. In other words, inductive 
definitions would only make sense in closed contexts. 

In order to avoid such a serious drawback, we will use a completely different 
characterization for the observational equality between inductive types. After 
all, what do we need these axioms for? The answer is simple: we need some 
observational equalities to put in the computation rules for the cast operator. 


cast (Idr Ax y) (Idr B z w) e (id-_reflp e’) =... 


For inductive types, these computation rules are very systematic: when cast is 
applied to a constructor, then it should naturally reduce to the corresponding 
constructor of the target inductive. Thus, we need to produce an inhabitant of 
x’ ~y y from an inhabitant of x ~a y. This is a job for the cast operator: 


cast (Idr A x y) (Idr B z w) e (id _reflp h) = id reflp (cast (x ~ y) (z ~ w) ? h). 


In order to fill the question mark hole, we need a proof of observational equality 
between the two observational equality types. Since all we have is a proof of 
equality between Idr A x y and Idr B z w, we need something to extract the de- 
sired equality. The injectivity of the inductive types is sufficient for this purpose, 
but it is not necessary. Instead, we can go for the bare minimum: an observa- 
tional equality between two instances of the same inductive definition should 
imply the equality of all their argument contexts, and nothing more. In the case 
of the inductive Idr, it means that we get the following projection: 


eq—[Idr : Idr A x y ~ Idr B z w > (x~ y)~ (z~ w). 


As we will prove in Section [6 this is enough to get an identity type that lives in 
the lowest universe without endangering the consistency of the theory. 
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i,j Ee N Universe levels 
s n= U; | Q Universes 
T,A n=e|T,a:A:s Contexts 
t,u,m,n,e, A,B :=x |s Variables and Universes 
| A(x: A).t |tu | O° (x: A). B Dependent products 
| l—elim At| L Empty type 
| t~a u | refl t| transport At B ut e Observational equality 
| cast ABet Type cast 
| Ti | Tr? | Qext | Text Properties of Equality 


Fig. 1: Syntax for the negative fragment of CIC?” /Untyped.agda] 


3 CIC°’’ with Martin-Léf’s Computation Rule 


At this stage, we have a clear roadmap for our observational type theory with 
inductive types: first, we need a system with a cast operator that computes 
on proofs by reflexivity. Then, we handle parametrized inductive types with 
projection functions for the equality types and computation rules for cast, and 
finally, we can take care of indexed inductive types with some syntactic sugar 
around the Fordism transformation. 

We are now in position to define CIC°™, the observational type theory that 
will serve as our theoretical framework. It is based on the system CC°S of [23], 
but with a few tweaks; the most important one being the additional computation 
rule for the cast operator on reflexivity proofs. In this section, we give a brief 
presentation of the syntax, typing rules and declarative conversion for the core 
of the type theory, with an emphasis on the points that differ from CC°S, before 
defining the scheme for inductive definitions in Section [5| All the definitions 
in the figures follows closely our AGDA formalization. We refer to files in the 


formalization as /myFile.agda/ 


3.1 The Syntax of CIC°PS 


The syntax of the sorts, contexts, terms and types of CIC°™ is specified in 
Fig. |1| The sorts of our system are divided into a predicative hierarchy (U;)ien 
which mirrors the Type hierarchy of COQ, and an impredicative sort Q of proof- 
irrelevant propositions which corresponds to COQ’s SProp. The base types are 
the false proposition L, the observational equality t ~4 u and the dependent 
function type TSS (x : A). B. For the sake of readability, we will frequently drop 
the sort annotations on dependent products when they can be inferred from 
the context, and when B does not depend on A, we write A — B instead of 
I(x : A). B. In addition to these basic types, our theory also includes a defini- 
tion scheme for indexed inductive types, that can be used to extend the syntax 
with new types and terms (cf. Section J}. 

Compared to the system CC°?* of [23], we add four new primitives TI! , 
Ir? » Qext and Hext, whose role is to provide the properties of the observational 


284 L. Pujet and N. Tabareau 


EQ-Q 
TFA:Q TFB:Q 


TH Qext : (A > B) > (B > A) > ÅA ~no B 


EQ-FUN 
TrTFA:s Tx: A:s B:Ui TF f,g:U(a: A). B :R(Ui, s) 
TE Mex : M(x : A). f £ ~B g £> f ~naBg 


EQ- 
THA, A:s T,c:AFKB:s' T,c: A’ B:s 
THIR : M(x: A). B oris) (a: A’). BY > A’ ns A 


Eq-Ile 
THA, A:s T,c:AFB:s' Tx: A’ B's 
THO? : We: .).M(a’: A’). Blx := cast A’ A (TÈ e) a'] ~s B'[e := a'] 


Fig. 2: CIC?™ rules for characterizing the observational equality /Typed.agda] 


equality which were previously given as computation rules. For instance, in the 
system of [23] an equality between two function types evaluates to a L-type that 
contains equalities of the domain and codomain, while in our new system these 
two equalities are obtained by applying II} and I? to the proof of equality 
between function types. Replacing computations with these new primitives does 
not endanger the computational properties of our theory, since they only ever 
produce computationally irrelevant equality proofs. Plus, it results in a more 
elegant system that does not need a primitive L-type; this way of handling 
the properties of the observational equality will be especially convenient when 
dealing with inductive definitions, where equalities between types imply complex 
telescopes of equalities which would be cumbersome to express with nested £- 
types. 


3.2 The Typing Rules of CIC°”S 


The typing rules of CIC°™ are based on five judgments: 


ET T is a well-formed context, 

TFA:s A is a well-formed type of sort s in T, 

TEF: A:s t is a term of type A in sort s inT, 
TFA=B:s A and B are convertible types of sort s in T, and 
Trkt=u:A:s t and u are convertible terms of type A in T. 


In all the judgments, s denotes either U; or Q. Note that since every universe 
has a type, the well-formedness judgments for types [+ A: s (and convertibility 
judgments of types) can be seen as special cases of typing judgments for terms 
[+ A:s: 8’ for a suitable s’, but we keep the type-level judgments to avoid 
writing unnecessarily many sort variables. 

The rules for universes, dependent function types, and the empty type are 
taken directly from [23], so we only give a brief overview here. The complete set 
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of rules is available in |/Typed.agda], We use PTS-style notations [8] to factorize 


the impredicative and predicative rules for universes and dependent products: 
the formation rule for universes states that both M; and Q are inhabitants of a 
higher universe, as described by the relations 


AUi U) :=j=i+1 A(Q,U;):=i=0. 


We allow the formation of dependent products with a domain and a codomain 
that have different sorts. If the codomain is a proof-relevant type, then the 
dependent product should have a universe level that is the maximum between 
the level of the domain and that of the codomain. On the other hand, if the 
codomain is a proposition then the result is a proposition regardless of the size 
of the domain. This is made formal by using the function R(_,_) defined as 


R(s,Q):=Q = R(QU)=U, RU Uj) = Umar): 


Equality and Type Casts Every proof-relevant type comes equipped with a propo- 
sitional binary relation, noted t ~4 u and called the observational equality. This 
type has one introduction rule that turns it into a reflexive relation. Of course, 
proof-irrelevant types have no use for an observational equality, since any two 
inhabitants would always be in relation by reflexivity. The observational equality 
is equipped with two elimination principles, which are called transp and cast. 
The former is similar to the J eliminator from MLTT, except that it is restricted 
to propositional predicates. Elimination into the proof-relevant layer is thus han- 
dled by the cast operator, which provides coercions between two observationally 
equal types. It might seem less general than the standard J eliminator, but since 
equality proofs are definitionally irrelevant, it turns out that a J eliminator for 
proof-relevant predicates can be derived from the cast operator. 

As we already mentioned, the extensional properties of the observational 
equality are given by the primitives N} , M2 , Qex_ and Text: rules and 
[EQ-T3|allow us to deduce the equality of domains and codomains from an equal- 
ity between two dependent functions types, rule provides propositional 
extensionality, and rule [EQ-FUuN] provides function extensionality. 


3.3 Conversion 


The conversion, also called definitional equality, is a judgment that relates the 
terms that are interchangeable in typing derivations. The rules that define the 
conversion judgment are reproduced in Fig. By definition, conversion is a 
reflexive, symmetric and transitive relation. It is also closed under congruence 
(e.g. if A = A’ and B = B’ then I(x: A).B = I(x : A’).B’), although we did 
not reproduce all the corresponding rules in Fig. [3] for the sake of brevity. The 


conversion judgment is itself subject to the conversion rule (rule|CONV-CoNnv). 


As usual, the conversion relation contains the G-equality for proof-relevant 
applications (rule [B-conv), and the 7-equality of functiong?] (rule n-EQ). The 


4 The propositional ņn-equality is actually provable in observational type theory, since 
it is a special case of the extensionality of functions. Nevertheless, it is still convenient 
to have as a conversion rule, to get a more flexible system. 
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REFL SYM TRANS 
THE: A: Thktsu:A:U; THES: A: U Tet =u: A: Ui 
TRt=t:A:U; Trhu=t=t:A:u; Trt=u:A:U; 
n-EQ 


TRA:s TEH, u:0 (æ: A). B:R(s,Ui) T,x:A:sFtr=ux:B:Ui 
THt=u: N i(x: A). B :R(s,U:) 


PROOF-IRR Conv-CoNnv 
FRt:A:Q Trku:A:Q Trt=u:A:U; TFA=B:U; 
TkKte=u:A:Q Trt=u:B:U; 
B-CONV 


TFKFA:s Ter: A:s- B:Ui Tz: AFt:B:UWi TrTFu:A:s 
TE (A(x: A). t) u = tle := u] : Bla := u] : U; 


Cast-I 
TKA:s TKA’:s T,z: AHF B:s T,£: A HF B’: 8’ 

TH e:Nl(x: A). B~ (a: A’). B’: TE f:U(x:A).B a := cast A’ A (I! e) a’ 

cast (M(x: A). B) (N(x : A').B')e f= n 

A(a' : A’). cast (Bla := a]) (B'[z := a']) (I? e a’) (f a) ` 


rH (x : A’). B' : R(s,8’) 


CAST-REFL 
TFA=B:s Tke:An,B THELA: 


TF- cat ABet=t:B:s 


Fig. 3: CIC°?™ Conversion Rules (except congruence rules) /Typed.agda] 


rule [PROOF-IRR] reflects the computational irrelevance of the propositions: any 
two inhabitants of the same proposition are deemed convertible. Additionally, the 
conversion relation also includes the computation rules for the pattern-matching 
of inductive constructors that we will define in Section D] 

Then, we have the rules describing the behaviour of the cast operator on 
each type. The rule [Cast-I]] is standard; it says that a cast function evaluates 
to a function that casts its argument, applies the original function, and then 
casts back the result. Note that this rule needs the two projections I} and 
TI? to get equality between the domains and the co-domains. Likewise, every 
declaration of an inductive type will add a handful of computation rules for the 
cast operator. Last but not least, the rule [CasT-REFL]is the main innovation 
of CICS, It states that cast between convertible types can be simplified away, 
regardless of the proof of equality. This rule plays an important role in ensuring 
compatibility with the CIC: recall that cast can be used to derive a J eliminator 
for the observational equality—then rule[CAst-REFLlimplies that this eliminator 
computes on reflexivity proofs, just like the usual eliminator of Martin-Lof’s 
inductive equality. 


4 Decidability of Conversion 


In this section, we show that conversion is decidable in presence of the rule 
[Cast-REFt] for a simplified version of CIC°™ in which the induction scheme is 
reduced to the type of natural numbers. Generally speaking, the main source 
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of difficulty for the decidability of conversion in dependent type theory is the 
transitivity rule—because of it, we have no guarantee that comparing two terms 
structurally is a complete strategy, since transitivity may be used with an arbi- 
trary intermediate term at any point. If we want a decision procedure, we need 
to replace this transitivity rule with something more algorithmic. 

Our aim is thus to define an equivalent presentation of the conversion for 
which transitivity is an admissible rule, but is not primitive. This is tradition- 
ally achieved by separating the conversion into a notion of weak-head reduction 
(Section [4.1) and a notion of conversion on neutral terms and weak-head normal 
forms (Section (4.2). In standard CIC, this strategy is sufficient to get canonical 
derivations of conversion, for which we have a decision procedure: we check the 
existence of a canonical derivation by first reducing terms to their weak-head 
normal form, and then comparing their head constructors and making recursive 
calls on their arguments. The point of this algorithmic definition of conversion 
is to replace the arbitrary transitivity rules with deterministic computations of 
weak-head normal forms. Then we can show that transitivity is admissible for 
conversion on neutral terms and weak-head normal forms. Naturally, this defi- 
nition requires a proof of normalization of well-typed terms. 

In the case of CIC°?® however, the decision procedure for conversion of neu- 
tral terms and weak-head normal forms cannot be defined as a straightforward 
structural comparison. When the two terms start with cast, there are three rules 
that may apply: either congruence of cast, rule [Cast-REFL] on the left-hand 
side, or rule Spa the right-hand side. This means that the decision 


procedure (Section |4.3) will have to do some backtracking to explore all possi- 
ble combinations of congruence of cast and Rule[CAst-REFL] Fortunately, the 
search space is bounded as every recursive call is done on a smaller argument. 

Finally, to conclude on the decidability of conversion, we need to show that 
the declarative conversion is equivalent to our algorithmic conversion. For that, 
we use the logical relation setting of |2| to guarantee that every term can be 
put in weak-head normal form and that algorithmic conversion is complete with 
respect to conversion. 

Note that our formalized version of CIC®™ only supports the inductive type 
of natural numbers, and not the full scheme from Section |5| This is due to 
the setting of the formal proof, which requires the added inductive types to be 
explicit because AGDA’s check that the logical relation is well-defined makes use 
of the strict positivity criterion, which is syntactic and cannot be abstracted 
away for a generic definition. Nevertheless, we expect that our formal proof can 
be extended to specific inductive types such as lists or Martin-Lof’s identity 
type, with methods similar to the ones from [3]. 


4.1 Reduction to Weak-Head Normal Forms 


A notion that plays a central role in our normalization procedure is that of 
a weak-head normal form (whnf), which corresponds to a relevant term that 
cannot be reduced further (Fig. (4p. Weak-head normal forms are either terms 
with a constructor in head position, or neutral terms stuck on a variable or 
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whnf wsi=N|M(a:A).Bls|N|L|t~au|rA(w:A).t|0|sn 
neutral N ::= x | N t| L—elim A e | N—elim PtuN 
| cast N B e t| cast N N e t| cast I° (£x: A).BNet 
| cast NN e N | cast ww et 
(where w, w € {N,II** (x: A). B, s}, hdw £ hd w’) 


Fig. 4: Weak-head normal and neutral forms 


an elimination of a proof of L. In other words, neutral terms are weak-head 
normal forms that should not exist in an empty context. In CICS, inhabitants 
of a proof-irrelevant type are never considered as whnf, as there is no notion of 
reduction of proof-irrelevant terms. 

This notion of neutral terms is standard, but we need to pay a particular 
attention to neutral terms for cast. They correspond to all forms of cast for 
which there is no attached reduction rule. Because we assume that cast first 
evaluates its left type argument, then the second and finally its term argument, 
neutral terms of cast occur either when the first type is neutral, or when the first 
type is a type constructor and second type is neutral, or when the two types are 
the same type constructor, but the argument is neutral. Note that the reduction 
rule for casting a function always fires, so there is no associated neutral term 
in that case. Finally, casts between two different type constructors are always 
considered as stuck terms and should be seen as variant of |—elim A e because 
they correspond to casts based on an inconsistent proof of equality, thus similar 
to elimination of a proof of L. 

At the heart of the decision procedure for conversion, there is a notion of 
typed reduction, noted [+ t > u: A. Intuitively, reduction corresponds to an 
orientation of the conversion rule in order to provide a rewrite system for which 
we can compute normal forms. However, not every conversion corresponds to 
a reduction rule: turning Rule into a reduction rule would spawn 
several critical pairs, and even more annoyingly, its convertibility premise would 
force us to define reduction mutually with conversion checking. As are not aware 
of any framework that properly handles this type of circularity, we will sidestep 
the issue by deferring [Cast-REFL] to conversion checking, where we only have 
to deal with neutral terms and weak-head normal forms. 

Actually, the purpose of reduction is to compute weak-head normal forms so 
that conversion rules that are not part of the reduction have only to be checked 
on weak-head normal forms. We do not detail the standard rules for CIC and 
focus on the one for cast (Fig. 5). The congruence rule for cast corresponds to 
several reduction rules, because we need to be careful to reduce one argument 
after the other in order, so that weak-head reduction remains deterministic. 
The reduction rules [CAST-ZERO} [CAsT-SUC|and [CAsT-UNTv] correspond to the 
rule where the arguments are instantiated by weak-head normal 
forms that are not neutral. Indeed, in that case cast must reduce. Conversion for 
cast when one of the scrutinees is neutral is deferred to algorithmic conversion. 
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CastT-I-RED 
TEA,A’:s8 Tz: AF B:3 T,£x: A F B:s 

TH e:N(x: A). B~ I(x: A’). B’:Q Tt f:O(x:A).B a := cast A’ A (OŁ e) a’ 

cast (I(x: A). B) (I(x: A’). B’) ef=> 


Tr : I(x : A’). B’ 
A(a' : A’). cast Bla := a] B’ [x := a'] m? ea) fa G ) 
CAST-ZERO Cast-Suc 
Tre:Nay,N:2 Tre:NayN:Q rH n:N:Uo 
TF- cast NNe0>0:N TF cast NN e (S n) >S (cast NNen):N 
CAST-UNIV Conv-RED 
The:s,s TKA:s A(s, 8’) Tkt>u:A TEKA=B:Ui; 
TF castsse A> A:s Trktsu:B 
CAST-SUBST 


TREASA':s TKEB:s Trke:An, B:Q TKt:A:s 
TF cast ABet=scast A’ Bet: B 


CAST-SUBST-NF 
TRFA:s whnf A TEBSB’':s Tre: Ar, B:Q TrKt:A:s 


TE cast A B et> cast A B’et:B 


CAST-SUBST-NF-NF 
TFKFA,B:s whnf A whnf B Trke:An, B:Q Trtsu:A 


TF cast A B et> cast ABeu:B 


Fig. 5: CIC°™ Reduction Rules (rules for cast) |/Typed.agda] 


Note that because reduction is typed, we need to be able to change the 
type to any convertible one (Rule|CONV-RED). Finally, we consider the reflexive 
transitive closure of reduction, noted TF t >* u: A. 


4.2 Algorithmic Conversion 


Algorithmic conversion (Fig. G) is defined by comparing weak-normal forms and 
interleaving it with reduction. This way, an algorithmic conversion derivation 
can be seen as a canonical derivation of declarative conversion, where “transitive 
cuts” have been eliminated. It is called algorithmic, because it becomes directed 
by the shape of the terms, and the premises of each rule are on smaller terms. 
In CIC, it is even the case that at most one rule can be applied, so decidability 
of algorithmic conversion is pretty direct. In CIC°™ however, decidability of 
algorithmic conversion is less direct because there are three rules that can be 
applied when the head is cast on both side. We come back to this difficulty in 
Section 

The judgment T F t Sne u : A corresponds to a canonical conversion deriva- 
tion between two neutral terms t and u at an arbitrary type A while the judgment 
T H= u: A corresponds to a canonical derivation of conversion for terms in 
whnf when the type is also in whnf. This can be understood from a bidirec- 
tional perspective because comparison of neutral terms infers an arbitrary type, 
whereas for other weak-head normal forms, the inferred type is in weak-head 
normal form. Bidirectional typing [[5J16] is traditionally used in type theory to 
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PROOF-IRR VAR-REFL APP-CONG u 

THtu:A:Q THæ:A:Ui TH tS}, u:0°Mi(x:A).B TH Ha%tb:A 

ThKt&neu:A ThkeSner:A ThKta@ne ub: Bix := a] 
CAST-CONG 


TKASA’:5 TRB SB:s Trtet’:A Tre: An, B:Q 
The’: A’n, B’:Q neutral (cast A B e t) neutral (cast A’ B’ e’ t') 
TF cast A B e t %ne cast A’ B'e t':B 


CAST-REFL-L 
TFA=B:s rrPt=o2.A Tke:An, B:Q neutral (cast A B e t) neutral u 


TF cast A B etne u: B 


CAST-REFL-R, 
TrT-B%A:s Trkt2u:A Trke:Ans B:Q neutralt neutral (cast A B e u) 


TFt %ne cast ABeu:A 


NE-WHNF 
THt,u:A:Ui whnfA TRtet u:A 
ThktiSu:A 
NE-RED 


TEA>* B:U; whnf B TKt&2neu:A 
retest u:B 


n 


WHNF-RED 
TRKA>* B:Uy; Tekts*t:A Tkus*u':A 
whnf B,whnf t’, whnf wu’ Trt) &uw':B 


retstu:A 


Fig. 6: CIC°?S Algorithmic Conversion Rules (except congruence rules) 


sionGen.agda] 


provide a canonical typing derivation by splitting the typing judgment into two: 
one judgment that infers the type of a term and an other one that checks that the 
inferred type of a term is convertible to the type given as input. This allows bidi- 
rectional typing to restrict the use of the conversion rule only to well-controlled 
places, and thus to provide only canonical derivations. In this presentation, it 
should be noticed that neutral terms infers an arbitrary terms (for instance, 
the application rule infers the type of the codomain of the function with an 
additional substitution) whereas other weak-head normal forms always infer a 
type also in weak-head normal form. But the structural rules for conversion cor- 
respond to a relational version of the type judgments, so that in some sense 
conversion subsumes typing. This means that we need to reflect this important 
distinction in the algorithmic conversion because the structural conversion rules 
for neutral terms (T F t Sne u : A) will naturally be performed at an arbitrary 
type A whereas [| t S u : A is always done at a type A in weak-head normal 
form. 

Because conversion of whnf must contain conversion of neutrals as a particu- 
lar case, we need those two notions to be compatible. To that end, we introduce 
two other judgments: "+ t =. u: B means that T F t Spe u: A and B is the 
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whnf of A (Rule|NE-RED) and D+ t & u: A means that T H t = u : A’ and 


t, u’ and B are the whnf of t, u and A respectively (Rule [WunF-RED). 

Let us now turn to the description of the relation T + t S u : A which 
mainly contains congruence rules for weak-head constructors, that are used in 
particular to show that reflexivity is admissible. Those congruence rules just 
ask for convertibility of each sub-argument, with some sanity conditions on the 
leaves, to ensure that only well-typed terms are considered in the conversion 
relation. Then, the rule [NE-WHNF| says that two neutral terms are comparable 
as whnf when they are comparable as neutral terms. 

The relation T F t Spe u: A contains a first rule to deal with proof-irrelevance 
in Q (Rule[PROOF-IRR). As any term in Q is neutral, this rule only checks that 
the two terms are proofs of the same proposition. The rule for variables (Rule 
applies when there is the same variable x on the left and on the 
right, and this variable is declared in the local context T. 

Then, there are four congruence rules to deal with eliminators. An eliminator 
is neutral when one of its scrutinees is neutral.The situation for cast is more 
complex as there are three different scrutinees (the two types and the term to be 
cast) and the whole term is neutral as soon as one of them is neutral. There is 
also a last kind of neutrals for cast which corresponds to impossible casts, that 
is casts between types with different head constructors. We can actually factorize 
all those cases and present only one rule that simply asks both 
casts to be neutral terms, at the price of a seemingly less accurate system. Indeed, 
because we are oblivious to the reason why the casts are neutral, all preconditions 
are asking for conversion as weak-head normal form instead of specializing in the 
case of neutral terms. However, by inversion on the rule, it is possible to show 
that two neutral terms are convertible as whnf if and only if they are convertible 
as neutral terms, so in the end this factorized rule is equivalent to a system with 
one rule per kind of neutral terms as defined in 

To deal with we need to introduce two rules, one for simpli- 
fication of cast on the left, and one on the right. This is because we have no 
rule for symmetry (to keep the system algorithmic) and symmetry must be an 
admissible rule. So the conversion rule is split into the two rules 
and [CAST-REFL-R] Again, we use a factorization to get only two rules, not 
specializing on the reason why a cast is neutral. 

The main point of this algorithmic conversion is that it does not contain 
any rule for symmetry or transitivity. This is because they make it very diffi- 
cult to prove decidability of conversion. However, we can show that symmetry 


(/Symmetry.agda/) and transitivity are admissible (/Transitivity.agda/). 


4.3 Decidability of Algorithmic Conversion 


We now turn to the definition of a decision procedure for the algorithmic conver- 
sion |/Decidable. agda]\ Actually, what we first prove is the decidability of algorith- 
mic conversion for two terms t and u, assuming that we know that T F t Sne t: A 
and TF u Sne u: A. The fact that algorithmic conversion is reflexive is actu- 
ally a consequence of the completeness of algorithmic conversion with respect 
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to declarative conversion that will be shown in the next section. The hypothesis 
that t and u are in diagonal of the algorithmic conversion contains a lot of in- 
formation, because by inversion on the derivations, we can actually recover the 
fact that t and u can be reduced to a whnf whose subterms can also be reduced 
in whnf, and this again and again up-to getting a deep normal form. 

The decidability proof of conversion for MLTT in [2] coarsely amounts to zip- 
ping the two reflexivity proofs together, showing that when the two derivations 
do not share the exact same structure, then the two terms are not convertible. 
This is not the case anymore in presence of the rules and 
and the reasoning cannot stay on the “diagonal” of the algorithmic 
conversion. This is not an issue as actually from the fact that I F t Sne t : A, 
we can deduce that both t and t can be put in deep normal form and so some- 
how, T F t Spe t’ : A can be used as termination witness in the same way as 
TE tS®net: A. 

However, the main difficulty in this new setting is that it is not true anymore 
that when the two derivations do not share the exact same structure, then the 
two terms are not convertible. Consider for instance cast A B e t against t: 
the reflexivity proofs for these two terms cannot share the same structure, yet 
they are convertible by Rule In addition, in the more complex 
case of cast A B e t against cast A’ B’ e' t’, there are three cases to consider, 
because the last rule to show that they are convertible can be either 
[CAST-REFL-L] or [CAST-REFL-R] This means in particular that the proof 
that two terms are algorithmically convertible is not unique anymore, and the 
decidability procedure has to do an arbitrary choice, depending on which order 
it tests the three different possibility and backtracks. 

The statement of decidability needs to be generalized in the following way. 


Theorem 1 (Decidability of algorithmic conversion '[Decidable.agda]). 
For any natural number n, given two proofs of neutral comparison 7: TF t Sne 
t: A andn :AFuSne u: B such that+ T =A and size(m) + size(n’) <n, 
knowing whether there exists a type C such that F t Sne u : C is decidable. 


Note that the statement is based on a notion of size of a derivation, noted size, 
because the algorithm does recursive calls that are not structurally decreasing. 
To conclude on the completeness of algorithmic conversion |/Completeness.agda/| 
we reuse the logical relation setting described in |2| for proving strong normal- 
ization and decidability of conversion in various type theories, later extended in 
[2223]. We do not detail the definition of the logical relation here as there is not 
specific to our system, what is important is it provides the following consequence. 


5 Inductive Definitions 


On top of the rules from Section |3| CIC°™ includes a scheme to define proof- 
relevant inductive types that is based on the scheme of CIC (as defined in [26}). 
Inductive definitions are not manipulated as first class objects: instead, the user 
declares all the necessary inductive types using a standard syntax, before starting 
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their proof. After each declaration, the theory is automatically extended with 
the new type former, inductive constructors, etc. 

The syntax for the inductive scheme of CIC°?* is exactly the same as the 
scheme of CIC; the difference lies in the fact that inductive definitions will ad- 
ditionally have to generate projections for the observational equality types and 
computation rules for the cast operator. We start by explaining how it works 
for inductive types without indices, and then we extend it to general indexed 
inductive definitions by using the Fordism transformation and some syntactic 
sugar. We will spare the reader the added complexity of mutually defined fami- 
lies, which is mathematically direct but heavy on notation. 


5.1 Inductive Definitions Without Indices 


We use a syntax based on the one used by the COQ proof assistant for inductive 
definitions. The general form of a non-indexed type looks like this: 


= 


Inductive Ind (@: A) : Ue := 
| co: V (6: Bo), Ind @ 


| cn : V(b: Bn), Ind @ 


In order to represent arbitrary contexts of parameters more compactly, we used 
a vector notation. The parameter (@: A) represents a context of the form a1 : 
Aj,+.:;@m : Am where each type may depend on the previous ones. Similarly, 
every constructor of the inductive type has a context of arguments, that may 
include recursive calls to Ind in strictly positive positions—however we will not 
be paying special attention to recursive calls, as their treatment is not affected 
by the observational equality. The universe Ue must be larger than all the types 
that appear in the constructor arguments B;. Inductive definitions in the sort of 
propositions Q are not allowed. 

After the user makes such a definition, the system is extended with the new 
type former Ind and the inductive constructors co, ... Cn with their prescribed 
types. Additionally, CIC°?® provides two operators match and fix that are used 
to define functions out of an inductive definition, following the typing and com- 
putation rules described by the [Ii]. As we explain in Section P| this elimination 
principle is enough to completely determine the observational equality between 
any two inhabitants of Ind, thus our system does not provide any additional 
rule for this. However, the observational equality between two instances of Ind 
does not benefit from any such principle, so we add “projection” operators to 
characterize equalities between inductive types: 


eq_ci : V (@: A) (@' : A), Ind@~ Ind d > Bija) ~ Bla] (V i) 


The projections eq_c; are generated when the user makes the definition of Ind, 
just like the constructors c;. Remark that the codomains of these projections 
are equalities between two vectors, which is a notational shorthand for a vector 
of equalities. In practice, this means that each eq_c; will be implemented as a 
family of projections (eq_c;,;), where each projection depends on the previous 
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ones. Thus, we get as many projections as there are constructor arguments in 
the inductive definition. Finally, we add computation rules for cast: 


> 


cast (Ind @) (Ind a’) e (ci b) = c; (cast (B;[@]) (Bi[@’]) (eq_ci @ @ e) 6) (Y i) 


5.2 Deriving a Scheme for Indexed Inductive Types 


In order for CIC°”S to be a proper extension of CIC, we need to extend our scheme 
to indexed inductive definitions. These get a bit messier than non-indexed def- 
initions, but in fact we already have all the pieces we need: as we saw in Sec- 
tion [2.2] the rule [CAST-REFL| allows us to use the Fordism transformation and 
faithfully encode indexed inductive types with parametrized inductive types. 
Consequently, we will define the scheme for indexed definitions in terms of the 
scheme for non-indexed definitions, using syntactic sugar and elaboration. That 
way, the typing and computation rules of CIC that involve indexed inductive 
types remain valid in CIC°°S, but the inductive types and constructors are elab- 
orated to their non-indexed counterpart under the hood. 

We now explain in detail how this elaboration process works. When the user 
defines an indexed inductive type Ind, they are actually defining the forded 
version Indy via the scheme for non-indexed definitions: 


Inductive Ind (@: A): V (Z : X), Ue := Inductive Inds (@: A) (Z: X) : Ue := 
| co: V (6: Bo), Ind & y | cor: Y (b : Bo), yo ~ Z > Indy @Z 

| + E 

| en : V(b: Bn), Ind & iù | cnr : V (b: Bn), jn ~ Z> Indp &@Z 


The scheme generates projections for observational equalities between the con- 
structor arguments, including the index equalities g; ~ # that are hidden in the 
user definition. Then, our system defines Ind and its constructors in terms of 
their forded counterparts: 


Indä Z = Inq? ci bD = cim b refl 
The pattern matching on inhabitants of the indexed inductive type is elaborated 
to a pattern matching on the forded version, by inserting a cast in each branch. 
Concretely, consider the following pattern matching on i : Ind @ Z: 


match i return P with | co b = to |... | Cn b= tn end 


The return type is P i, and thus in the branch for c; b, the term t; provided by 
the user has type P 9 (c: b). After the elaboration, this branch matches a forded 
pattern cif b e, and should now return a result of type P £; (cir b e). We can 
obtain this result by type-casting the user-supplied term t; along the equality 
proof e to obtain 


cast (P yj (ci b)) (P a (cir b e)) (ap2 P (cir b e)) ti 
where ap2 is a slight generalization of the proof that function applications pre- 


serve equalities. Thanks to the rule this elaboration preserves the 
computation rule of the pattern-matching for indexed inductive types. Note that 
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there is nothing special to do for fixpoints, they work out of the box. This con- 
cludes the description of our formal system CIC°?®. 


6 Consistency of the Theory 


In Section [2] we saw that combining the inductive scheme of CIC with the ob- 
servational equality can endanger the consistency of the theory if we are not 
careful. In the end, it is possible to fix the issue by picking a better definition 
for the observational equality of inductive types, but now we want to make sure 
that this new definition will not lead to another inconsistency. To do this, we 
build a model of CIC°?* in set theory, thereby reducing the consistency of our 
system to the consistency of ZFC set theory with Grothendieck universes. Our 
model is mostly an extension of the one that was presented in [23] to general 
inductive definitions, using the interpretation of inductive definitions that was 
developed in [26]. 


6.1 Observational Type Theory in Sets 


We work in ZFC set theory with a countable hierarchy of Grothendieck universes 
Vo, Vi, V2, etc. We write Q := {L, T} for the lattice of truth values, and given 
p € Q we write val p for the associated set {x € {x} | p}. Since our goal is to 
interpret a dependent type theory, we will need set-theoretic dependent products 
and dependent sums. We write the former as (a € A) > (B a), and the latter 
as (a € A) x (B a) to distinguish them from their type-theoretic counterparts. 

Our model will be based on the types-as-sets interpretation of dependent type 
theory , according to which contexts are interpreted as sets, types and terms 
over a context I become sets indexed over the interpretation of T, the typing 
relation corresponds to set membership, and conversion is interpreted as the set- 
theoretic equality. Such models have already been defined for a wide variety of 
type theories; of particular interest to us is the model of [26] which supports an 
impredicative sort of propositions (interpreted as the lattice of truth values) and 
the full scheme of inductive definitions of CIC. Since ZFC set theory is extensional 
by nature, this model also validates the principles of function extensionality and 
proposition extensionality, which would almost make it a model of CIC°?*, were 
it not for two small issues. 

The first issue is the absence of the observational equality and the cast oper- 
ator in the model of [26]. We can easily fix this by interpreting the observational 
equality as the set-theoretic equality, and cast as the identity function. That 
way, cast verifies all the desired equations for trivial reasons, including the rule 
After all, the model does not differentiate between conversion and 
propositional equality! 

The second issue is a bit more serious, and deals with the universes. In [26], 
the authors directly interpret the type-theoretic universes as the corresponding 
Grothendieck universes, which is perfectly fine for CIC. But this does not work 
for CIC°>S, as we would lose the injectivity of dependent products: consider for 
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TEU; I> == (Vj x Vj, 9) 
TFQ], = (Q,90) 
PEM“ (2: A). B]p := ( (a € fst [TH A],) > fst [T, AF Bc, 


(VE A],, Av. [T, AF B]p,2)) 

rE DO (x: A). By, := ( (a € val [TF A],) > fst [T, A+ Ble, 
(val [TF A], , Aw. fT, AF B]p,x)) 
Tt Ind X ], := (IndElem [T H X ],, IndLabel [+ X ],) 


Fig. 7: Codes for universes, dependent products and inductive types 


instance the two types Empty —> N and Empty —> B. Both are interpreted as a 
singleton set, but in CIC°™ we can prove that they cannot be equal. To recover 
this injectivity, we label the sets in the universe with additional information that 
indicates how they were built. This way, the type Empty —> N is interpreted as a 
singleton set and an indication that it is a function type from Empty to N, while 
Empty — B has a different label. 


6.2 Coinductive Labels for Inductive Types 


In this section, we give a proper definition for our labelled universe. The tech- 
nique of using labels to build a universe that is generic for sets and ensures 
the injectivity of dependent products is a re-reading of the technique of [I3]. 
However, his construction seems difficult to extend with parametrized inductive 
types—the use of induction-recursion seems to force us to have the injectivity of 
parameters, which we do not want (cf Section|2.3). Therefore we ditch induction- 
recursion for a definition that is somewhat more set-theoretic: our interpretation 
of the universe U; is simply V; x V;, meaning that a code in the universe is a 
pair of sets. The first set of the pair is the (semantic) type, and the second set 
is the label. The “El” function that transforms a code into a type is thus simply 
the first_projection. 

Fig.|7|shows the interpretation for the proof-relevant type formers of CIC°?S. 
The interpretation function that transforms a syntactic object into a semantic 
object is written |I F _],, where p is a set-theoretic function that assigns a set to 
every variable of the context I’. Unsurprisingly, the syntactic universes U; and Q 
are interpreted as their semantic counterparts, with the default label (the empty 
set). Dependent products also are interpreted as their set-theoretic counterparts, 
but in that case the label contains the domain and the codomain, ensuring that 
two dependent products are not identified unless their domain and codomain are 
themselves equal. 

The case of the inductive definitions is a bit more involved. Thankfully we 
do not need to treat indices, as they are encoded using Fordism (cf Section 5.2). 
Thus, we consider a non-indexed inductive definition Ind as in Section [5] with 
a vector of parameters A: 
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Inductive Ind (@: A) : Ue := 
| co: V(b: Bo), Ind @ 
| cn : V(b: Bn), Ind @ 


Given any vector X of elements of the family of sets fst([ Alp ), we define 
IndElem X to be the set constructed in [26], which is well-defined if the defi- 
nition of Ind is strictly positive and all the the interpretations of the B; are 
well-defined. Reproducing their construction in full detail would take us too far 
from the scope of this paper, so we will simply mention that it is the initial 
algebra of the set-theoretic endofunctor corresponding to Ind evaluated in X. 
This gives us the first projection of | T F Ind X] p, and now we need to define 
the second projection IndLabel X. Recall from Section [2.3] that we would like the 
equality of two instances of Ind to satisfy: 


Ind X ~ Inn Ý +> (Bo(X),..,Bn(X)) ~ (Bo(Y),-.; Bn(Y)). 


In other words, Ind should be determined up to equality by the types of its 
constructor arguments. Therefore, it is natural to define its label directly as the 
list of these types: 


IndLabel X = (IE, F Bolg gy- IP, Ab Balo, g): 


However, remark that B; may contain a recursive call to Ind, whose interpre- 
tation is defined using IndLabel, so this definition is really an equation that we 
need to solve. Fortunately, a simple look at the shape of that equation reveals 
that it is in fact a definition for an infinite tree whose nodes are labeled with 
sets, which we take as our solution. Note that the result is indeed an inhabitant 
of Vz, since the sets that intervene in its construction (the interpretation of the 
types of the constructor arguments and their labels) are all in Vy. With this 
definition of IndLabel, we get the following property: 


Lemma 1. If the inductive definition Ind is strictly positive, |I H X] is well- 
defined, and all the Ir, A H Bilo xX) are well-defined, then |I | Ind X], is 
well-defined. Furthermore, |I F Ind X], = |I F Ind Yl, is equivalent to 


Vi, [VAP Bl mx, =E 4AF Bilo riy 


6.3 Soundness of the Model 


The definition of the observational universe is the only new insight of our con- 
struction; the rest follows the strategy laid out in [26]. For the sake of complete- 
ness, we give an outline of the definition and of the proof of soundness in this 
section. 

Ultimately, our model is defined in terms of partial functions from the syntax 
to the semantics. We use a function [_] that interprets contexts as sets and a 
function [I = -], that interprets terms and types in context T as sets indexed 
by p € [I] (Fig. [8). Both functions are mutually defined by recursion on the 
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[e ] := {0} 
[T,x: A: ]:={(p,a)|pEe[r] A aefst [TFA Jp} 
[T,2:A:Q]:={(o,a)|pe[l] A eval [Tb A Jp} 


[The Jo = ole) 
[TE Xa:F).t]p:= (ce fst [TE F ]p) > (IT, F F t lps) 
[rH tu] = [TH t](IEF u Ip) 


[read p `= 
[ F match t return P with {ci b > ti} Jp = > (as in Lee et al.) 
[TF fix f ¢:=t], = 
[FFL ]p:=Ht 
[T F L—elim A t ], := undefined 
[rFt~xa u]: =Tif[rAt] =[TrFu]o 
L otherwise 
[TF cast ABet],:=[THt], 


[ren *(y: A). B lp := Yz € (fst [TF A],), [T, AFB pe 
rH O®?(y : A). B lp := Yz € (val [TH A],), [T, AF B pe 
P P 


Fig. 8: Interpretation of contexts and proof-relevant terms of CIC?™ 


raw syntax, and we will then prove that they are total on well-typed terms by 
induction on the typing derivations. Variables, lambda-abstractions and applica- 
tions are interpreted respectively as projections from the context, set-theoretic 
functions and applications. In order to interpret the inductive constructors and 
the match and fix operators, we need to develop a proper theory of set-theoretic 
induction. Since this part is completely orthogonal to the observational primi- 
tives, we deem it out of the scope of this work and we refer the interested reader 
to the literature instead. In [26]] the authors use induction principles instead of 
match and fix, but argue that the two are equivalent. A model directly based 
on the latter can be found in [14]. The L proposition is interpreted as the false 
proposition of ZFC, the observational equality as the equality of ZFC, and the 
cast operator as the identity function. Finally, the proof-irrelevant dependent 
products are interpreted as set-theoretic quantifications. The proofs of propo- 
sitions such as transport or II! do not need to be interpreted—after all, the 
model is proof-irrelevant. 

In order to prove the soundness of our interpretation, we need to extend it to 
weakenings and substitutions between contexts. Assume I and A are syntactical 
contexts, and A and t are syntactical terms. In case [T,2:A:s,A] and [T,A] 
are well-defined, let 74 be the projection: 


ta: T,c:A:s,AJ] O[T,A] (ap, £A, ZA) > (£r, FA). 


In case | T,A[x := t] ] and | T,x : A: s,A ] are well-defined, we define the 
function o+ by: 


or: [T, Alz :=t]] > [T,£:A:s,A] (ap, TA) = (Er, [TF t Jaz, 2a). 
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Theorem 2 (Soundness of the Standard Model). 


If HT then |T ] is defined. 

If TF A:Q then[ TEA ]p is a semantic proposition for all p€ | T ]. 
IfTFA:U; then[ TEA ], is in V; for allp €[T ]. 

IfTEt:A:Q then[ Tt], €val(] PF A ],) for allpe[T J. 
IfTKt:A:U; then[ Trt], €fst(] FA ],) for allpe[T ]. 
IfTFt=u:Athen[TFt],=[ Tu], forallpe[T ]. 


AAs wor 


Since our model interprets the false proposition L as the empty set, we get a 
proof of consistency: 


Theorem 3 (Consistency). There are no proofs of L in the empty contect. 


Furthermore, by inspecting the normal forms provided by the normalization the- 
orem, we note that the only neutral terms in the empty context are stuck casts. 
But having a stuck cast requires an equality proof between two incompatible 
types, which cannot exist from our definition of the universe. From there, we de- 
rive a canonicity theorem for inductive types: all elements of an inductive type 
without indices reduce to canonical elements in the empty context. 


7 Conclusion and Future Work 


We proposed a systematic integration of indexed inductive types with an ob- 
servational equality, by defining a notion of observational equality that satisfies 
the computational rule of Martin-Lof’s identity type and by using Fordism, a 
general technique to faithfully encode indexed inductive types with non-indexed 
types and equality. We developed a formal proof that this additional computa- 
tion rule, although not present in previous works on observational equality, can 
be integrated to the system without compromising the decidability of conver- 
sion. This extension of CIC with an observational equality has been implemented 
at the top of the COQ proof assistant by using the recently introduced rewrite 
rules. 

Although the technique has been developed in the setting of CIC and Coq 
specifically, there is no obstacle to adapt it to other settings such as LEAN or 
AGDA. Adaption to LEAN should be pretty straightforward as it is sharing most 
of its metatheory with Coq. A partial version of CIC°™ could be provided in 
AGDA with rewrite rules. However, the management of elimination of inductive 
types in AGDA is not done using an explicit pattern-matching syntax à la Coq, 
for which we can define new reduction rules. Instead, functions on inductive types 
are defined using case splitting trees and an exhaustivity checker. Therefore, a 
proper treatment of CIC™ in AGDA would require modifications of the case 
splitting engine, similarly to what has been done for Cubical Agda [27]. 


8 Data-Availability Statement 


The Agda companion formalization is available both on and as a long- 
term archived artifact [24]. 
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Abstract. Dependently typed proof assistant rely crucially on defini- 
tional equality, which relates types and terms that are automatically 
identified in the underlying type theory. This paper extends type the- 
ory with definitional functor laws, equations satisfied propositionally by a 
large class of container-like type constructors F: Type — Type, equipped 
with a map, :(A > B) > FA > FB, such as lists or trees. Promot- 
ing these equations to definitional ones strengthens the theory, enabling 
slicker proofs and more automation for functorial type constructors. This 
extension is used to modularly justify a structural form of coercive sub- 
typing, propagating subtyping through type formers in a map-like fash- 
ion. We show that the resulting notion of coercive subtyping, thanks to 
the extra definitional equations, is equivalent to a natural and implicit 
form of subsumptive subtyping. The key result of decidability of type- 
checking in a dependent type system with functor laws for lists has been 
entirely mechanized in Coq. 


Keywords: Subtyping - Dependent types - Logical relation. 


1 Introduction 


Dependent type theory is the_foundation of many proof assistants: COQ [53}, 
LEAN id. AGDA p, IDRIS i4, F* bi. At its heart lies definitional equality, 
an equational theory that is automatically decided by the implementation of 
these proof systems. The more expressive definitional equality is, the less work 
is requested from users to identify objects. However, there is a fundamental 
tension at play: making the equational theory too rich leads to both practical and 
theoretical issues, the most prominent one being the undecidability of definitional 
equality, This default plagues the otherwise appealing Extensional Type Theory 
(ETT) , a type theory which makes every provable equality definitional, thus 
making ETT rather impractical as a basis for a proof assistant [L5). As a result, 
to design usable proof assistants we need to carve out a well-behaved equational 
theory, that strikes the right balance between expressivity and decidability. In 
this paper, we show that we can maintain this subtle balance while extending 
intensional type theory with map operations making the functorial character 
© The Author(s) 2024 
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of type formers explicit, and satisfying definitional functor laws. We prove in 
particular that definitional equality and type-checking remain decidable in this 
extension, that we dub MLTT map: 

The map primitives introduced in MLTT map have a computational behaviour 
reminiscent of structural subtyping, which propagates existing subtyping struc- 
turally through type-formers, and should satisfy reflexivity and transitivity laws 
similar to the functor laws. Guided by the design of MLTT map, we devise a sec- 
ond system, MLTT..., with explicit coercions witnessing structural subtyping. 
To gauge the expressivity of MLT'T..., we relate it to a third system, MLTT,,,,,, 
where subtyping is implicit, as users of a type system should expect. A simple 
translation |:| from MLTT.,., to MLTT,„p erases coercions. We show that this 
erasure can be inverted, elaborating coercions back. For this to be type preserv- 
ing, it is crucial that MLTT.., satisfies our new definitional equalities, which 
allows us to reflect the equations implicitly satisfied in MLTT.,,,, due to coer- 
cions being transparent. Fig. aie the three theories that we introduce 
and their relationships. They all extend Martin-L6f Type Theory (MLTT) bs 
Let us now explore in more detail these three systems. 


MLTT 


Í 


MLTT,., #7 MUTT oos pr? MLTT 


sub map 


Fig. 1. Relation between MLTT, MLTT map) MLTT.,, and MLT'T.,,,. Arrows denote 
type-and-conversion-preserving translations between type theories. The dashed arrow 


is conjectural. 


Functors and Their Laws The notion of functor is pervasive both in mathemat- 
ics [88] and functional programming , capturing the concept of a parametrized 
construction applying to objects and their transformations. Reformulated in type 
theory, a type former F':dom(F’) > Type is a functor when it is equipped with 
an operation mapp f: F A — F B for any morphism f: hom,(A, B) between two 
objects A,B in the domain dom(F’) of F. Here, dom(F’) must be endowed with 
the structure of a category, with specified composition o/ and identities id”, 
and mapp must preserve those: 


mapp id? = id (id-eq) 
(mapp f) o (mapp g) = mapp (f °" g) (comp-eq) 
3 Morphisms hom,(A, B) in dom(F) are not constrained to be type theoretic functions. 


Accordingly, composition need not to be literally the composition of functions and 
the specified identities can differ from the identity Ax.x. 
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These two equations are known as the functor laws. For many container-like 
functors, such as List A, lists of elements taken in a type A, a map function 
can be defined in vanilla type theory such that these equations can be shown 
propositionally, e.g. by induction. Such propositional equations need however 
to be used explicitly, putting an extra burden on users and possibly causing 
coherence issues typical when working with propositional equalities G This is 
not acceptable: such simple and natural identifications should hold definitionally! 


Example 1 (Representation Change). Consider a dataset of pairs of a number 
and a boolean, represented as a list. For compatibility purpose, we may need to 
embed these pairs into a larger dataset using 


glue (r: {a: N; b:B}): {x: B; y: N; z: N} = 
{x := r.b; y := r.a; z := if r.b then r.a else 42}. 


Going from one dataset to the other amounts to mapping either glue or its left 
inverse glue_retr, which forgets the extra field: 


MapPrist glue :List {a: N; b: B} —> List {x: B; y: N; z: N}, 
Mapzisųt glue_retr :List {x:B;y:N;z:N}— List {a:N;b: B}. 


If the functor laws only hold propositionally, each consecutive simplification of 
back and forth changes of representation needs to be explicitly lifted to lists, 
and applied. The uncontrolled accumulation of repetitive proof steps, even as 
simple as these, can quickly burden proof development. In presence of defini- 
tional functor laws, instead, any sequence of representation changes will reduce 
to a single map,,.,: the boilerplate of explicitly manipulating the functor laws 
is handled automatically by the type theory. Moreover, observe that in this ex- 
ample the retraction glue_retr o glue id is definitional thanks to surjective 
pairing. Combined with definitional functor laws, the following simplification 
step is discharged automatically by the type-checker: 


map, jo, glue_retr (map,,., glue /) ~ map,,,, id LSL 


Note that these equations are valid in any context, in particular under binders, 
whereas for propositional identifications, rewriting under binders is only possible 
in presence of the additional axiom of function extensionality. 


Example 2 (Coherence of Coercions). Proof assistants may provide the ability 
for users to declare automatically-inserted functions acting as glue code (coer- 
cions in COQ, instance arguments in AGDA, has_coe typeclass in LEAN). Work- 
ing with natural (N), integer (Z) and rational (Q) numbers, we want every N 
to be automatically coerced to an integer, and so declare a natToZ coercion. 


4 We formalize this example, showing that this conversion indeed holds in our system, 
in file Example_1_ 1. 
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Similarly, we can also declare a ZToQ coercion. If we write 0 (a N) where a Q is 
expected, this is accepted, and 0 is silently transformed to ZToQ (natToZ 0). 

Now, if we want the same mechanism to apply when we pass the list [0 :: 1 : 2] 
to a function expecting a List Q, we need to provide a way to propagate the 
coercions on lists. We can expect to solve this problem by declaring map,,., as a 
coercion, too: whenever there is a coercion f: A + B, then map,;., f should be 
a coercion from List A to List B. However, by doing so, we would cause more 
trouble than we solve, as there would be two coercions from List N to List Q, 
map, ;<¢(ZToQ onatToZ) and (map, ist ZToQ)°(map,,., natToZ). In the absence of 
definitional functor laws for map,,.,, these two are not definitionally equal. To 
add insult to injury, coercions are by default not printed to the user, yielding puz- 
zling error messages like “l and l are not convertible” (!), because one is secretly 
Map, j¢(ZTOQ onatToZ) l while the other is mapi ist ZToQ (map,,;.,natToZ 1). 
This makes map, ;,, virtually unusable with coercions. 


Structural Subtyping This last example suggests a connection with subtyping. 
Subtyping equips the collection of types with a subtyping order = that allows 
to seamlessly transport terms from a subtype to a supertype, i.e. from A to 
A’ when A = A’. An important aspect of subtyping is structural subtyping, i.e. 
how subtyping extends structurally through type formers of the type theory. 
Typically, we want to have List A x List A’ whenever A =< A’. In the context 
of the F* program verification platform that heavily uses refinement subtyping, 
the inability to propagate subtyping on inductive a d such as lists has 
been a long-standing issue that never got solved properly [25] . The abse of 
structural subtyping also has a history of causing difficulties to Aacpa [16 16, og 


Definitional Equalities for Subtyping From the perspective of users of interac- 
tive theorem prover, subtyping should be implicit, transparently providing the 
expected glue to smoothen the writing of complex statements. From a meta- 
theoretical perspective, on the other hand, it is useful to explicitly represent all 
the necessary information of a typing derivation, including where subtyping is 
used. The first approach is known as subsumptive subtyping, on the left, whereas 
the latter is embodied by coercive subtyping, on the right: 

t:A Tk. ASA 


coe, 4 t: A’ 


T ub t:A T reds 


S Co 
E Thots “— TE 


coe 


Ax<A’ Tk 


coe 


sub 


We want to present subsumptive subtyping to users, but ground the system on 
the algebraic, better-behaved coercive subtyping. Informally, an application of 
in the subsumptive type theory MLTT,„» should correspond to an applica- 
tion of in the coercive type theory MLTT.oe- However, given a derivation 
D ofT Kup t: A we can A | together with a reflexivity proof T kp AS A 
to yield a new derivation D’ with the same conclusion T Kp t: A. D and D’ 
should respectively correspond to terms I Roe t: A and T Ros coeg 4t’:A in 
MLTT,... Since t’ and coe, 4 t both erase to the same MLTT,,,, term t, they 
need to be equated if we want both type theories to be equivalent. Similarly, 
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transitivity of subtyping implies that coercions should compose definitionally, 
that is IT Roe coeg c(coe, pt’) = coe, ot’: C should always hold in MLTT.,.. 
Functor Laws Meet Structural Subtyping Luo et al. bo showed that the func- 
torial composition law is enough to make structural coercive subtyping 
compose definitionally, because a coercion between lists CO€List 4 List g behaves 
just as the function obtained by mapping coe, g on every element of the list. 
We further investigate this bridge between coercive subtyping and functoriality 
of type formers, in particular the identity functor law TROP to handle re- 
flexivity of subtyping, and extend Luo et al’s limited type system to full-blown 
Martin-Löf Type Theory (MLTT), with universes and large elimination. This 
understanding leads to a modular design of subtyping: structural subtyping for 
a type former relies on a functorial structure, and can be considered orthogonally 
to other type formers of the theory or to the base subtyping. Moreover, defini- 
tional functor laws are sufficient to make structural coercive subtyping for any 
type former expressive and flexible enough to interpret subsumptive subtyping. 


Contributions We make the following contributions: 


— we design MLTT nap, an extension of MLTT exhibiting the functorial nature 
of standard type formers (II, 4, List, W,Id, +), with definitional functor 
laws (Section B 

— we mechanize the metatheory of a substantial fragment of MLTT map in 
CoQ, extending a formalization of MLTT [B], proving it is normalizing and 
has decidable type-checking (Section W); 

— we develop bidirectional presentations for MLTT „p and MLTT.,., 
extend MLTT respectively with subsumptive and coercive subtyping; 

— we leverage these presentations and the extra functorial equations satisfied 
by coe in MLTT.., to give back A forth, type-preserving translations be- 


which 


tween the two systems (Section 


Detailed proofs and complete typing rules can be found in the extended version 
of this paper B2. The mechanized metatheory of Section W is provided in BA}, 
completed with a note describing further formalization details. 


2 Type Theory and Its Metatheory 


work in the setting of dependent type theories à la Martin-Lof (MLTT) 
bo. an ideal abstraction of the type theories underlying existing proof assis- 
tants such as AGDA, Coa, F* or LEAN. MLTT employs five categories of judge- 
ments, characterizing the well-formed contexts (H T), types (T H T) and terms 
(T + t:T), and providing the equational theory on types (T F A = B) and 
terms (T | t S u: A). Two terms related by this equational theory are said to be 
definitionally equal or convertible. 
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Negative Types: Dependent Products and Sums Dependent function types, noted 
Ia: A.B, are introduced using A-abstraction A<: A.t and eliminated with appli- 
cation tu. We also include dependent sum types © x: A.B, introduced with pairs 
(t,u), p and eliminated through projections 7, p and 72 p. Both come with an 
ņ-law. 


Universes of Types Our type theories feature a countable hierarchy of universes 
Type;. Any inhabitant of a universe is a well-formed type, and, in order to make 
the presentation compact, we do not repeat rules applying both for universes and 
types, implicitly assuming that a rule given for terms of some universe Type, 
has a counterpart as a type judgement whenever it makes sense. 


Positive Types: Inductives As we study the functorial status of type formers, 
parametrized inductive types are our main focus. Our running example is the type 
of lists List A, parametrized by a type A, and inhabited by the empty list £ 4 and 
the consing hd :4 tl of a head hd: A onto a tail tl: List A. Lists are eliminated 
using the dependent eliminator indzj;.¢ 4(s;!.P;b.,x-y.z-b.), which performs in- 
duction on the scrutinee s, returning a value in P[s], using the two branches b. 
and b.. More generally, strictly positive recursive datatypes are often presented 
in MLTT via W z: A.B, the type of well-founded trees with nodes labelled by 
a: A of arity Ba. Finally, Martin-Lof’s identity type Id Ax y represents equali- 
ties between two elements x,y: A. A general inductive type scheme is outside the 
scope of this paper, but the specific types we treat (List, W, Id and +) cover all 
aspects of inductive types: recursion, branching, parameters, and indices. More- 
over, they can_emulate all indexed inductive types it , bel, although we will 
see in Section that this encoding interacts poorly with functor laws. 


Rules in the Paper Due to space constraints, we focus in the text on the most 
interesting rules, and on two types: dependent functions and lists. Together, they 
cover the interesting points of our work: dependent product types have a binder 
and come with an 7-law; lists are a parametrized datatype, for which definitional 
functor laws are challenging. Complete rules are given in the appendix of : 


2.1 Metatheoretical Properties 


In order to show that the extensions of MLTT from Figure |I| are well-behaved, 
we establish the following meta-theoretical properties. 

In order to be logically sound, a type theory should have no closed term of 
the empty type, i.e. there should be no t such that F t: 0. This consistency prop- 
erty is an easy consequence of canonicity, which characterizes the inhabitants of 
inductive types in the empty context as those obtained by repeated applications 
of constructors, up to conversion. Consistency follows, as 0 has no constructor. 

A proof assistant should also be able to check whether a proof is valid, i.e. 
whether a typing judgement is derivable. In a dependent type system where terms 
essentially encode the structure of derivations, the main obstacle to decidability 
of typing is that of conversion. 
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In order to establish both consistency and decidability, we exhibit a function 
computing normal forms of terms. Inspecting the possible normal forms in the 
empty context entails canonicity. Moreover, conversion of normal forms is easily 
decided, and so we can build on normalization to decide conversion. Finally, we 
can go further, and use normalization to build canonical representatives of typing 
and conversion derivations, which we rely on to relate our different systems. 

A more technical, but equally important property is injectivity of type con- 
structors, for instance that whenever JI x: A.B = [I x: A’.B’, then A & A’ and 
B = B’. For dependent type theories, injectivity of type constructors is the 
main stepping stone towards subject reduction, the fact that reduction is type- 
preserving, and thus included in conversion. 


t~+ t’| Term t weak-head reduces in one step to term t 


(Ax: A.t) u~ tfu] indy jet alea tP; ba v.y.z.b,) ~t b 


indy jet a (a £4 l; £. P; b., £.y.z.b.) ~t b.a, l, indy jog a(l; £-P; ba, £.y.2.b.)] 


yes YSI 


tott tolt 


tur tu indy jst a(t; @-P3 b., v-y.z.b,) ~t indy jst 4 (U5 xP; b., v-y.z.b,) 


t~* t | Term t weak-head reduces in multiple steps to term t’ 


t~o! t’ t Suk t” 


t n»* t t ny ¢” 


nf f| =n |I: t.t |Type; | Listt| a: A.t| e, |t2,4¢ weak-head normal forms 


det 


ne n|/|=a|nt| indyja¢ 4(n;t; t,t) weak-head neutrals 


Fig. 2. Weak-head reduction and normal forms (t stands for an arbitrary term) 


2.2 Neutrals, Normals, and Reduction 


Before getting to how we establish these properties, we must introduce a last 
element: computation. Indeed, most conversion rules can be seen not just as 
equalities but be oriented as computations to be_performed. This leads to the 
definition of weak-head reduction ~»* in Figure PI Weak-head reduction is the 
only reduction that is used throughout this article. 

The normal forms (nf) for weak-head reduction, i.e. the terms that cannot 
reduce, are inductively characterized at the bottom of Figure R, together with the 
companion notion of neutral forms (ne). Normal forms can be either a canonical 
term, starting with a head constructor (for instance, a A-abstraction or £), or a 
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neutral term. Neutrals are stuck computations, blocked by a variable, e.g. x u 
is stuck on x and cannot reduce further. 


2.3 Proof techniques 


Logical Relations Logical relations are our main tool to obtain normalization 
and canonicity results. At a high-level, we follow the approach of Abel et al. IP], 
where the logical relation is based on reducibility, a complex predicate on types 
and terms, which in particular entails the existence of a weak-head normal form. 
The key property is the fundamental lemma, stating that every well-typed term 
is reducible, 7.e. that the logical relation is a model of MLTT. The existence of 
(deep) normal forms is obtained through the inspection of reducibility derivations 
for a term, since they contain iterated reduction steps to a normal form. 

We use the logical relation not only to characterize the normal forms of 
terms but also the conversion between them, showing that a proof of convert- 
ibility between two terms can be transformed to a canonical shape interleaving 
weak-head reduction sequences and congruence steps between weak-head normal 
forms. We detail in Section H the novel challenges we encountered when adapting 
the approach of Abel et nll to parametrized inductive types. 


Bidirectional Typing and Algorithmic Conversion Our second tool is a presen- 
tation of conversion and typing that, while still inductively defined, is as close 
as possible to an actual implementation. Typing is bidirectional |B0, li}, i.e. de- 
composed into type inference and type checking, and essentially follows Lennon- 
Bertrand Þ We use bidirectional typing for its rigid, canonical derivation 
structure, rather than for its ability to cut down type annotations on terms. 
Thus, although we use bidirectional judgements, all our terms_infer a type, in 
contrast to what is common in the bidirectional literature |20, 41l. 

Algorithmic conversion, presented in Figure B| combines ideas from both bidi- 
rectional typing and the presentation of Abel et al. I. Crucially, it gets rid 
entirely of the generic transitivity rule for conversion, and instead uses term- 
directed reduction, intertwined with comparison of the heads of weak-head nor- 
mal forms. Algorithmic conversion is mutually defined with a second relation, 
dedicated to comparing weak-head neutral forms, called when encountering neu- 
trals at positive types. General conversion is “checking”, i.e. taking a type as 
input, while neutral comparison is “inferring”, i.e. the type is an output. In turn, 
conversion is used in the following typing rule to compare the inferred type for 
t with the one it should check against. 


TrteT’ Thr’ 2Tq 
TRtar 


CHECK 


Using the consequences of the logical relation, we can show that this algo- 
rithmic presentation has many desirable properties. For instance, transitivity 


5 In line with Lennon-Bertrand Boj, we pick > as the symbol for inference, and < as 
the one for checking, to avoid clashes with COQ’s => in the formalization. 
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TrEnen’ PT Neutrals n and n’ are comparable, inferring the type T 


(2:T) ET Tena, n Pita: A.B TRUS <A 


NVAR ——— NAPP 
THe xroT THnuxn uœ Bju] 
TAS, t <T] Reduced terms t and t’ are convertible at type T 
TFAS= A a Type, 
TH AS A <Type, T, x: A H B= B’ < Type, 
CLIST - - aN CPROD alias. 
T F List A =, List A’ < Type, [Tt Ua: A.B &, Ia: A.B <a Type, 
Ta: AtfaetfraB THa <A’ TELS <List A” 
CFUN 7 CCons 7 -r 
TESS, f dle: A.B TH azal S a’ 24/l < List A” 
ne M 
TEn n os Thknen’ >N 
NEULIST = - NEUNEU ———— 
Then, n< List A TEn SÁ nw aM 
THtSt <T| Terms tand t are convertible at type T 
TFnaæ n >T| Neutrals n and n’ are comparable, inferring reduced type T 
t~*u t ao u Thknaen’ >T 
T ~* U TRUS u du T~ S nf S 
TMRED 7 NRED ———____—_ 
Trt#t’a7T Trnay,n os 


Fig. 3. Algorithmic conversion 


is admissible, even though there is no dedicated rule. Collecting the proper- 
ties derived from the logical relation, we can obtain our second main objective: 
equivalence between the algorithmic and declarative presentations. 


Property 1 (Equivalence of the Presentations). If T F ¢:T, then T+ t<T. 
Conversely, if T, CT TandTFtdT, then TF t:T. 


Note that the implication from the bidirectional judgement to the declarative 
one only holds if the context and type are well-formed. In general, our algorith- 
mic presentations are “garbage-in, garbage-out”: they maintain well-formation 
of types and contexts, but do not enforce them. Thus, most properties of the 
algorithmic derivations only hold if their inputs are well-formed, in the sense of 
Figure 4. Note that in checking and inference modes, while the term is an input, 
it is of course not assumed to be well-formed in advance, since this is what the 
judgement itself asserts. This algorithmic, syntax-directed presentation is well 
suited for implementations and to establish relationships between type systems. 
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Judgement Input(s) Inputs are well-formed 
TFT Tt FT 
Petar T,T,t trand PET 


r-T%T'< T,TandT’ r,r HT and Tt IT’ 
TEHtŁStť <T T,t,ť andT T,rTAET,TrTEHŁ:T and r EHE:T 
Thktet’oeT T,tandť -T, net, net’, and JA, A’ s.t. THEA, THE: A 


Fig. 4. Well-formed inputs (for =, %n; œn, similar to their non-reduced variants) 


3 A Functorial Type Theory 


We develop an extension MLTT map Of MLTT with primitive mapp operations 
for each parametrized type former F of MLTT, that is II, ©,+, List, W, and Id. 
These map operations internalize the functorial character of the type formers, 
and by design definitionally satisfy the functor laws for each type former F: 


map, id = id (id-eq) 
map, fomap, g ~ map, (fog) (comp-eq) 


Section describes the structure needed on type formers to state their functo- 
riality in MLTT map: In Section we show how definitionally functorial map p 
are definable in vanilla MLTT for type formers with an -law. Section in- 
troduces the main content of this paper, required to enforce the functor laws 
on inductive type formers: the extension of the equational theory on neutral 
terms. We explain the technical design choices needed to define and use the log- 
ical relations for MLTT map and obtain as a consequence that the theory enjoys 
consistency, canonicity, and decidable conversion and type-checking. We imple- 
ment these design choices in COQ for a simplified but representative version of 
MLIT map; with one universe and the II, X, List and N type formers, with their 
respective map operators. This formalization is detailed in Section W. 


3.1 Functorial Structure on Type Formers 


In order to state the functor laws for a type former F’, such as II, £, List, W, Id, 
we must specify the categorical structures involved. A type former F is para- 
metrized by a telescope of parameters that we collectively refer to as dom(F’), 
and produces a type. We will always equip the codomain Type of a type former 
F with the category structure of functions between types, with the standard 
identity and composition. Note that composition is associative and unital up to 
conversion, thanks to 7-laws on function types. 

The domain dom(F’) of a type former must also be equipped with the struc- 
ture of a category. We introduce the judgement A Kaap X:dom(F’) to stand for 


map 


6 These equations are all propositionally true in MLTT, proven by induction for 
datatypes. 
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a substitution in context A of the telescope of parameters of F. Then, given two 
such instances X, and X, of parameters for F, morphisms between X, and X3 
are classified by the judgement A hnap p:homp(X,,X2). We require dom(F’) 
to be also equipped with identities and a definitionally associative and unital 
composition: 

A Faan X: dom(F) A Faan p: hom,(X, Y) A Tren w : hom,(Y, Z) 


Ak id, :homp(X, X) Aas p o” p: homp(X, Z) 


map 


For instance, for dependent products, dom(II) and hom,, are given by 


A aap (A, B) : dom(TI) = A "map AN A, a: A nap B 
A nap (f.g) : homy ((41, B,), (Ag, By)) < A "map f : Ay > A, ^ 


A,a: A> Haap 9: By [fa] > Ba 


map 


with identity id(/s,B) * (id4,idp) and composition (f,g)o"(f’, 9’) £ (fof, ara 

The domain and morphism for each type former are described in Figure 
Identities and compositions are given by the categorical structure on Type for 
List and Id, and are defined componentwise, for ©, W and +, similarly to II. 
Figure ee the conversion rules of MLT'T extending those of MLTT 


map? 


Type former F Domain A k 


map 


X :dom(F) Morphisms A Haap 9: homp(-, -) 


List X= (A) AA Paap A aa (f) AA irae f : A, > A, 
I X= (A, B) A A Enap A p= (f.g) AA Knap f A2 > Ay 
^ A,a: A ieee B A A,a: A, "map g:Bı[fa] = By 
Z idem p= (f,9) ^A Fnap f: Ar > Ag 
^ A,a: Ay "map g:B, = Ba If a] 
Ww idem p=(f,9)N\ A Raap f: A, > Ag 
A A,a: A, map g: By[f a] => B, 
X=(A, x,y) AA Baap A p= (F) N\A Knap f:4 > Ag 
Id A A aap 2 A A A nap J £1 = T3: Ay 
A A map y: A A A map f Yı = Y2: Ay 
+ X= (A, B) AA Enap A pa (f,9) ^A Raap f: Ar > Ag 
^ A Pasg B ^ A Fap g:Bı =F By 


Fig. 5. Domain and categorical structure on type formers 


with general functoriality rules and specific rules for each type former. For each 
type former F, map, is introduced using Map and witnesses the functorial 
nature of F, that is F maps morphisms ¢ in its domain between two instances 
of its parameters X,Y (left implicit) to functions between types 

A Knap 9: homp(X, Y) = Atma Mapp Y:FX > FY 


map map 


These nr operations obey the two functor laws, as stated by and 


IM APCOMP.. 
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The computational behaviour of maps, as defined by weak-head reduction, 
depends on the type former. On JI and X, map is defined by its observation, 
namely application for JI and first and second projections for X. On inductive 
types such as List, W, Id and +, map traverses constructors, applying the 
provided morphism on elements of the parameter type(s), and itself to recursive 
arguments. This corresponds to the usual notion of map on lists. On W-types, 
the map operation relabels the nodes of the trees using its first component, 
and reorganizes the subtrees according to its second component. On identity 
types, the reflexivity proof refl, a at a point a: A, is mapped to the reflexivity 
proof at fa: A, for f: A; > A. On sum types A+ B, either the first or second 
component of the morphism (f, g) is employed depending on the constructor inj! 
or inj’. Each reduction rule has a corresponding conversion rule in MLT'T 


map* 


For each type former F (II, £, List, W, Id, +) 


T Raap X, Y : dom(F) T Buap X :dom(F) 
T es f:hom,(X,Y) T nap &2 FX 
Map a MapIp — 
I Raap Mapp f: FX > FY I Raap Mappidy t=t: FX 


TE. X,Y, Z:dom(F) 


map 
T Haap 9: hom,(X,Y) T Raap f:hom,(Y, Z) T Kaap t: FX 


map map 


MAPCOMP T 
Tr ERS mapp f (mapp gt) = mapp(f S g) t : FZ 


Specific rules 


mapy jg f (hd :tl) ~t f hd: map,,., f tl Mapri FE ~! € 
T, (maps, fp) ~> (m f) (m p) T, (mapy fp) ~+* (T3 f) (T2 p) 
mapy f ht~! (m, f) (h (m ft) mapya f refly, a ~" refla, fa 
map, (f, g) (inj’ a) ~+ inj’ (f a) map, (f, g) (inj” b) ~" inj” (gb) 


mapw {T, HT2}f (supa k) ~ 
SUP» a5 To (m, fa) (A: (mT, (T, f a)). mapw F (k (2 g £))) 


nen F € {List, Id, +, W} 


REDMAPCOMP 7 7 
map, f (mapp gn) ~** mapp(f °" g)n 


Fig. 6. MLTT (extends Figures H and B) 


map 


Functorial Maps and Type Former Encodings Positive sum types A+ B can be 
simulated in MLTT by the type £ b: B .6(b, A, B), using the branching operation 
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6(b, A, B) = indg(b; z. Type,; A, B). This encoding admits the adequate intro- 
duction and elimination rules. It induces a mapping from dom(+) to dom(%), 
sending a morphism A Knap (f,g):hom,((Aj, By), (A2, By)) to the morphism 
A Raap (idg, f ® g) : homs((B, 6(b, A, B)), (B, 6(b, A’, B’))) where f @ g is 


map 


A,b:B Kaap indp(}; z.6(z, A, B) > 6(z, A’, B’); f,g):6(b, A, B) > (b, A’, B’). 


nap 
We can show by case analysis on B that this mapping satisfies the propositional 
functor laws. However, it falls short from satisfying the definitional ones.4 It 
is thus not enough to compose map, with this mapping to obtain a functorial 
action on sum types A+ B, and explains why we add + primitively. 

This obstruction to inductive encodings would motivate a general definition of 
functorial map for a scheme of indexed inductive types. However, it seems already 
non-trivial to specify the categorical structure on the domain of an arbitrary 
inductive type, let alone generate the type and equations for the corresponding 
map operation. Thus, we rather concentrate on understanding the theory on 
quintessential examples, leaving out a general treatment to future work. 


3.2 Extensional Types and Map 


A type A is extensional when its elements are characterized by their observation, 
i.e. any element is convertible to its 7-expansion, an elimination followed by an 
introduction — an equation usually called 7-law. For extensional type formers, it 
is possible to define a map operation satisfying the functor laws. In MLTT and 
MLTT nap, both (strong) dependent sums © and dependent products II have 
such extensionality laws, and so their map operations are definable. 


mapy ((g, f): homy((A, B), (A’, B’))) (h: (2: A)B) = da: A.f (h (g 2)) 
maps, ((g, f):homy((A, B),(A’, B’))) (P: E(x: A)B) = (g (m1 p), f (2) 


Lemma 1. mapy and map, satisfy the definitional functor laws and 
IMAPCOMB. 


The proof is immediate by unfolding the definitions of mapy, map,,, applications 
of -reduction and the 7/-rules for the preservation of identity. The accompanying 
artifact also shows that_the functor laws hold for Coq’s II and X types.& The 
specific rules of Figure hold by G-reduction. 


3.3 New Equations for Neutral Terms in Dependent Type Theory 


Inductive types in MLTT do not satisfy a definitional 7-law. For identity types, 
the 7-law is equivalent to the equality reflection principle of extensional MLTT, 
whose equational theory is undecidable fis . Extensionality principles for in- 
ductive types with recursive occurrences as List or W are also likely to break the 


7 This would amount to an instance of the 7-law for B. 


8 In file mapPiSigmaFunctorLaws. 


Definitional Functoriality for Dependent (Sub)Types 315 


decidability of the equational theory, by adapting an argument for streams kol. 
The result of the previous section hence does not apply, and it is instructive to 
look at the actual obstruction. Consider the case of List, and the equation for 
preservation of identities: 


List 


T aia MaDpz ist id, lS l: List A. (x) 


If we were to define map, ist by induction on lists as is standard, we would get 
mapy jet (f: A > B) (l: List A) = indy jg, (List B;l;e,, hd.tl.ih,,.(f hd) zg thy) 
We can observe that Eq. (W) is validated on closed canonical terms of type List: 


Mapp ict ida EA © E4 Mapy;, id, (hd =, tl) 
ind. hyp. 
~ (id, hd) :4 map,,,id, tl © hd:,tl 
However, on neutral terms, typically variables, we are stuck as long as we stay 
within the equational theory of MLTT: 


A: Type, x: List A ¥ map,,., id, £ S xv: List A. 


In order to validate Eq. (W), MLTT map Must thus at the very least extend the 
equational theory on neutral terms. Allais et al. [6] show in the simply-typed case 
that these equations between neutral terms are actually the only obstruction to 
functor laws, and in the remainder of this section we discuss how to adapt MLTT 
to this idea. 


Map Composition and Compacted Neutrals The first step in order to validate 
the functor laws is to get as close as possible to a canonical representation dur- 
ing reduction. In order to deal with composition of maps, we extend reduction 
with merging consecutive stuck maps. In order to preserve the 
deterministic nature of weak-head reduction, map compaction should only apply 
when no other rule does. To achieve this, the type former F should not be exten- 
sional, because map, is already handled through the 7-expansion of [cFun, and 
similarly for map... Moreover, the mapped term should be neither a canonical 
form where map already has a computational behaviour, nor a map itself that 
could fire the same rule. To control this, we separate neutrals, which cannot 
contain a map as their head, and compacted neutrals, which can start with at 
most one map, as shown in Figure {7 alongside normal forms. Allais et al. [6] also 
features a similar decomposition of normal forms into three different classes, al- 
though their normal forms for lists are more complex than ours as they validate 
more definitional equations than functor laws. 


Map on Identities For identities, using a similar reduction-based approach is 
difficult: turning the equation I k mapy;<¢ id4 l = J: List A into a reduc- 


map 


tion raises issues similar to those encountered with 7-laws. Orienting it as an 
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def if 

nf f| Sle weak-head normal forms 
def : 

ne n| =- | indyict 4 (ct; t) weak-head neutrals 
def 

cne c|=n| map; fn compacted neutrals 


Fig. 7. Weak-head normal and neutrals for MLTT (extends Figure 2) 


map 


expansion | ~+* map,;., id, l requires knowledge of the type to ensure the ex- 
pansion only applies to lists, and is potentially non-terminating. Accommodating 
type-directed reduction would require a deep reworking of our setting. 

As a result, just like for 7 on functions in rule we implement this rule 
as part of conversion, rather than as a reduction. We also incorporate it carefully 
in the notion of reducible conversion in the logical relation, where we do have 
access to enough properties of the type theories. Since the equation is always 
validated by canonical forms, we only need to enforce it on compacted neutrals. 
The logical relation for an inductive type I (List, W, Id, +) thus specifies that 
a neutral n is reducibly convertible to a compacted neutral map, fm, whenever 
the neutrals n and m are convertible and f agrees with the identity of dom(J) 
on any neutral term. See Tyee a the next section for the exact 


rule. 


4 Formalizing New Equations for Neutral Lists 


In this section we expose the main components of the accompanying Coq formal- 
ization, which covers normalization, equivalence of declarative and algorithmic 
typing, decidability of type-checking, and canonicity for a subset of MLT'T,,,,,, 
with 0,N, II, £, List and a single universe. The formalization extends a port to 
CoQ [B] of a previous AGDA formalization Bi, which has already been extended 
multiple times 3, lig ka, We focus on the challenges to establish the functor 
laws on lists, and direct the reader either to the COQ code, or to Abel et al. 
and Adjedj et al. for other details. The formalization spans ~26k lines of code, 
approximately 9k of which are specific to our extension with lists and definition- 
ally functorial maps and are new compared to Adjedj et al. Text in bind refer to 
files in the companion artifact. 


4.1 A Logical Relation with Functor Laws on List 


The Cog development defines both declarative and algorithmic presentations of 
MLIT map and proves their equivalence through a logical relation parametrized 
by a generic typing interface instantiated by both presentations. Beyond generic 
variants of the typing and conversion judgement, the interface uses two extra 


judgements: T hnap t ~* t: A stating that t reduces to t’ and that they are 


nap 


? Defined in 
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both well typed at type A in context T; and [ k 
and n’ are convertible neutral terms. 


n ~ n’: A stating that n 


nap 


Definition of the Logical Relation In presence of dependent types, the standard 
strategy of reducibility proofs defining reducibility of terms by induction on 
their types fails. Rather, reducibility of types and of terms are define mutually 
mutually, the latter defined out of a witness of the former, and the former reusing 
the latter for the universe. Following Abel et al. i2], we thus first define for each 
type former F what it means to be a type reducible as F, and then what it means 
to be a reducible term and reducibly convertible terms at such a type reducible as 
F. A type is then reducible if it is reducible as F for some type former F. As we 
extend the logical relation to handle List and map,,.,, we focus on a high level 
description of the reducibility of types as lists and the reducible convertibility 
of terms of type List, the most challenging elements in the definition 44 Two 
points required specific attention with respect to prior work. First, to handle 
the fact that constructors contain their parameters, we need to impose reducible 
conversions between these and the parameters coming from the type. Second, in 
order to validate composition of map on neutrals that may contain a map, we 
need to equip neutrals with additional reducibility data, rather than pure typing 
information. 

A type X is reducible as a list in context T, written T lFList X, if it weak- 
head reduces to List A for some parameter type A reducible in any context A 
extending I via a weakening p:Wk(A,T). If R:T lky;.4 X is a witness that X is 
reducible as a list, then P(St) stands for the parameter type A of this witness, 
and P,. (9%): Ip: Wk(A,T)}.A I- P()[p] is its witness of reducibility. 

Reducible conversion of terms as lists I lk t S t’: A | % is defined in Fig- 
ure §. Two terms ¢ and t are reducibly convertible as lists with respect to the 
witness of reducibility #:T lryi4. X if they reduce to normal forms v,v’ that 
are_reducibly convertible as normal forms of type list T IF yp v S v:A |R 
(ListRED). Straightforwardly, two_canonical forms are convertible if they are 
both € (NILRED or both —:— (ConsReEp)) with reducibly convertible heads 
and tails. 

For compacted neutral forms, we need to consider four cases according to 
whether each of the left or the right hand-side term is a map, ist pro- 
vides the easy case where both terms are actually neutral, with a single premise 
requiring that these are convertible as neutrals for the generic typing inter- 
face. gives the congruence rule for stuck map} ist relating 
map, ;., J n and map,,;., f n’ when the mapped lists n and n’ are convertible as 
neutrals and the bodies f x and f’ x of the functions are reducibly convertible. 
Note that at this point of the logical relation, we do not know that the domain of 
the functions f and f’ is reducible, only that their codomain is, as provided by 
P,. (9%). This constraint motivates both the 7-expansion of the functions on the 
fly before comparing them, and the necessity of a Kripke-style quantification on 
larger contexts for the reducibility of the parameter type P} (9%), together ensur- 


10 Available in file LogicalRelation. 
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ing that the recursive reducible conversion happens at a reducible type, namel 
an adequate instance of P(t). Finally, the symmetric rules 
and deal with the comparison of a map,;,., against a neu- 
tral n, that can be morally thought as map,,., id n, and indeed the premises 
correspond to what one would obtain with in that case, up 


to an inlined 6-reduction step. 


T Kaap t œ~* v: List P(t) T Raap t ~* v : List P(R) 


map 


Thy vv: X|R 


LISTRED 
TSE: X|R 
T lk P(R) = P | P,.(R) TI- P(R) = P’ | PLR) 
T I- hd & hd’: P(R) | P-R) [lh tl = tl’: X |P) 
CoNnsSRED 


Tlie hd:ptl = hd’ sp tl’: X|R 


TI P(t) = P| P, (2) 
T I- P(R) = P’ | PLR) T Kan n ~ n : List P(R) 
NILRED NERED is 


T lka Ep S Eps: X | MR Typ nen’: X|R 


T Hanap n © 0’: List P(R) 
T,a:P(R) Ik fa =a: P(R) | P, (KR) 
MAPNECONVREDL NEMAPCONVREDR .... 
T Fat map, fron: X |R 


T nap n © 0’: List A T,a: Al- fa f x: P(R) | PR) 
T lr, map, fr = map, fin’: X | KR 


MAPMAPCONVRED 


Fig. 8. Reducible convertibility of lists (where 9%% is a proof of T lFgist X) 


Validity of the Functor Laws All the expected properties extend to this new 
logical relation: reflexivity, symmetry, transitivity, irrelevance with respect to 
reducible conversion, stability by weakening and anti-reduction H] These prop- 
erties are essential in order to show that the logical relation validates the functor 
laws on any reducible term. The proof proceeds through an usual argument for 
logical relations: on canonical forms, the functor laws hold as observed already 
in Section ba on compacted neutrals and neutral forms, we need to show that 
any compositions of map,,,., reduce to a single map of a function with a reducible 
body, which amounts to show that composing reducible functions produces re- 
ducible outputs on reducible inputs. This last step in the proof reflect our as- 
sumption that the categorical structure equipping domains of type formers, here 
dom(List), should be definitionally associative and unital. 


11 Available in the directory LogicalRelation. 


Definitional Functoriality for Dependent (Sub)Types 319 
4.2 Deciding Conversion and Typechecking for MLTT 


map 


Instantiating the generic typing interface of the logical relation with declarative 
typing provides metatheoretic consequences of the existence of normal forms, 
among which normalization, injectivity of type constructors and subject reduc- 
tion. Using those, we can show that algorithmic typing is sound directly by 
induction, and also that it fits the generic typing interface of the logical relation, 
which lets us derive that it is complete with respect, to declarative typi 

This part of the proof is close to Abel et al. and Adjedj et al. ‘fj. The 
main change is that we adapt algorithmic conversion to reflect the addition of 
compacted neutrals in our definition of normal forms, by introducing a third 
mutually defined relation to compare these compacted neutrals. The main idea 
is summed up in pules LNCoNV and ENM below. when comparing compacted 
neutrals, we use the new ae map» Which simulates the behaviour of the 
logical relation from Figure 8 on compacted neutrals. 


T Raap 2 N > List A 


map 
r Fash c X map c < List A T, T: A Faa fx S2<4 B 
LNCOoNV 7 - LNMAP - - 
T Raap € =, C < List A T Haap Mappa, IN © n’ < List B 


map map 


“map 


Using this second, algorithmic, instance as a specification, we can show the 
soundness and_completeness of a conversion-checking function extending that of 
Adjedj et al. with lists and neutral compaction. Thus, via the equivalence 
of declarative and algorithmic conversion, we obtain decidability of the rich 
equational theory of (declarative) MLTT 


map’ 


5 Subtyping, Coercive and Subsumptive 


The main application we develop for our definitional functor laws is struc- 
tural subtyping. More precisely, we describe two extensions of MLTT. The 
first, MLTT.,, has subsumptive subtyping: whenever kap t:A x A’, then 
also K p t: A’, leaving subtyping implicit. The second, MLTT.,., features co- 
ercive subtyping, witnessed by an operator coe, x t explicitly marking where 
subtyping is used and well-typed whenever k.e t: A x A’. The computational 
behaviour of coe on each type former is informed by the corresponding map in 
MLIT map: Structural coercions can hence be studied modularly in MLTT 
and tied together in MLT'T.... 

In Section 5 1h we give algorithmic presentations of MLTT.oe and MLTT,,,,. 
In the context of a proof assistant or dependently typed piodramii ag lan- 
guage, MLT'T.,,,, would be the flexible, user-facing system, and MLTT.oe it 
well-behaved specification. We do not develop the equivalence between this 
gorithmic presentation of MLTT oe and its declarative variant, as its proof is 
similar to the one for MLTT map- 

Section b. relates MLTT and MLTT,„p: there is a simple erasure |-| 
from the former to the latter which removes coercions, and we show it is type- 
preserving; conversely, we show that any well-typed MLTT,„» term can be elab- 
orated to a well-typed MLTT.oe term. The extra definitional functor laws are 


map 


coe 
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essential at this stage, to ensure that all equalities valid in MLTT 
in MLTT 
MLTT. 


su 


sup Still hold 
coe: Since we are in a dependently typed system, if equations valid in 
p failed to hold in MLTT.,., elaboration could not be type-preserving. 
Finally, Section discusses the implications of this equivalence for coherence. 


5.1 The Type Systems MLTT.,. and MLTT 


sub coe 


We focus on the structural aspect of subtyping, and a base case would be needed 
to have a non-trivial subtyping relation, i.e. to relate more types than conver- 
sion. We do not present a base case for subtyping due to space constraints, but 
refinement types with subtyping induces by the implication orders on formulas 
or record types with width and depth_subtyping are typical instances for such 
base case. The latter is presented in by 


Tk, © =, T<| Reduced type T is a subtype of reduced type T’ 
h YI 


sub 


T Fat A’ x A a 
T,2:A’k,, Bx B's 
UNISUB PRODSUB - — 
I kup Type; xn Type, < Tka Iz: AB =, Ia: A’.B’ <1 
L S Tr Fab A x A’ < N S Fub n Sh n’ > T 
ISTSUB EUSUB 
T Kap List A s, List A’ < T ip n Saw <a 


Fig. 9. Algorithmic subtyping between reduced types (extends Figure B) 


Algorithmic MLTT..,, This system replaces with the following rule, 
which uses subtyping x instead of conversion: 


Thato Pha T <7 


PR tal 


sub 


ub 


CHECKSUB 


Subtyping, defined in Figure 7 orients type-level conversion from Figure h, tak- 
ing into account co- and contravariance. It relies on neutral comparison and 
term-level conversion, both of which are not altered with respect to Figure Bt 
subtyping is a type-level concept only. 


Algorithmic MLTT.,,. In contrast with MLTT.,,,, rule in MLTT,,. is 
not altered. Instead, subtyping is only allowed when explicitly marked by coe, as 
follows: 


_A’ Tk. tA IR ee 
TI Roe Coeg, ar t> AP 


coe 


AxA’< 


Definitional Functoriality for Dependent (Sub)Types 321 


tate 


nf f 


(COeqy:4’.B/ 1x:A.B f) a~! aal 


COTY re. Type, t~" t 
va eea See 


coe, F a 
1 m 1 z 
COCL ist A,List A’ E Y E COLL ist A,List a’ (R =t) ~œ} coeg ar hz COLL ict A,List A’ É 
® 
An! A’ nf’orneA Br~+'! B’ 
COEL i CoER i 
coe, pt œ~ Coe y pt coe, pt~* coe, pt 
Ə ® 
nf” orne A, B tat nf orneU,U’,T,T’ nen 
CoETM i - COECOE i 
coe, gt œ~ coe, pt COez pyr CORP r N~ CORP y n 
nf f) Sn|P|N|dAa:tt|e,|t2,¢| coey yf |... weak-head normal forms 
Ə e ; : 
nf’ NJ [a:t.t | Ua:t.t negative whnf types 
> e ' ‘de 
nf’ P| = Type, | Listt |... positive whnf types 
ne n| =a2|nt|nJ|indp(c;t;t) |... weak-head neutrals 
cne c| =n|coeppn|coe,,n compacted neutrals 


Fig. 10. Weak-head reduction rules for coercion (extends Figure B) 


Reduction must of course be extended to give an operational behaviour to coe, 
and is given in Figure 10, together with normal forms. Operationally, coe 4 4, t 
reduces the types A and A’ to head normal forms, then behaves like the relevant 
map, propagating coe recursively. Since coe, 4t is well-typed only when A 
is a subtype of A’, the type formers of their head normal forms have to agree, 
ensuring that we can always rely on this behaviour to enact structural subtyping. 
As for map, rule lets us compact a succession of stuck coe. This only 
applies to positive types (characterized by nf®): we do not compact coercions 
between negative/extensional types, but wait for the term to be observed to 
trigger further reduction. 

Neutral conversion is described at the top of Figure |11| and features an addi- 
tional comparison between compacted neutrals similar to MLTT nap ( ILNConv). 
Rule is a congruence for coercions, where the source and target types nec- 
essarily agree by typing invariants, and are thus not compared. Rules 
and handle identity coercions. Accordingly, ~,,,. is carefully used when- 
ever normal forms can be compacted neutrals, e.g. at neutral and positive types, 
as shown at the bottom of Figure fl Apart from this change, conversion at the 
term and type level and subtyping are similar to those of MLT'T.,,,,. 


5.2 Elaboration and Erasure 


We can now turn to the correspondence between MLTT.,.,, and MLTT.... The 
translation in the forward direction, erasure |:|, removes coercions |coe 4 y t| = t 
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T koet% t’ IT} Compacted neutrals t and t’ are comparable at type T 


coe “ ™coe 


Thy. nxn! DS" henan DS" 
NCOE rE S rar NCoEL TL = rar 
coe COE gS r N Xooe Coes ,T’ n < coe COeg, T Nn Xcoe N q 
PF eel "n 
NG PE nodos enar er 
T Roe n Scoe Ceg r n IT” T koen Rawen aT 


Tht, aT 


coe 


re , 
coe Faas TN Xooe Te <M ne M 


n Xoo N’ < List A 
TOFI NEUNEU 7 
n S, n’ < List A Tho. n Sp N IM 


coe 


NEULIST 


coe 


Fig. 11. Algorithmic comparison of neutrals in MLTT „e (extends Figure p) 


coe 


and is otherwise a congruence. It is lifted pointwise to contexts. We first show 
that erasure is sound, meaning that it preserves typing and conversion, and then 
that it is also invertible, i.e. that any well-typed MLTT.,,, term ¢’ elaborates to 
a well-typed MLTT.., term t whose erasure is t = |t]. 


sub 


coe 


Soundness of Erasure Erasure translates from a constrained system to a more 
liberal one. Establishing its soundness, e.g.that conversion and ing are pre- 
served, is relatively easy, as long as the reduction rules of Figure ie designed 
so that erasure preserves them. Indeed, the key point is that reduction rules 
for coe do not change the structure of the erased term, and so erase to exactly 
zero steps of reduction. In contrast, the rule below is inadequate, as it would 
n-expand terms at function types more in MLTT.oe than in MLTT 


coe sub* 


COET z: 4/.B ae: BS ~! Ax: A. Coe zy [coe jaf COE 4 A’ x). 


A, Al & 


The two terms remain nonetheless convertible. By induction on MLTT,,..’s typ- 
ing derivation, one can then show that erasure preserves conversion and subtyp- 
ing, and finally typing. 


Theorem 1 (Erasure Preserves Typing). If T Ros t<T holds and its 
inputs are well-formed, then |T| Kap» lt] < |T]. 

Elaboration Elaborating back from MLTT, „p to MLTT.,.. is more challenging: 
as we add annotations, we must ensure that these do not hinder conversion. We 
follow the proof strategy of a similar proof of elaboration soundness in Lennon- 
Bertrand et al. bal. The core of the argument are so-called “catch-up lemmas”, 
which ensure that annotations never block redexes. As an example, here is the 
one for function types. 


Lemma 2 (Catch up, Function Type). IfT Roe 
then there exists t such that |t| = t and f a ~ t[a]. 


fa:Band|f|= da: A.t, 
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From these catch-up lemmas it follows that erasure is a backward simulation, 
therefore that it preserves subtyping, and finally that it is type-preserving. Proofs 
are all by induction, and given in 2 
Lemma 3 (Erasure is a Backward Simulation). Assume that T kos t:T. 
If |t| ~* u’, with uw’ a weak-head normal form, then t ~* u, with u a weak-head 
normal form such that |u| = u’. 


Lemma 4 (Elaboration Preserves Subtyping). The following implications 
hold whenever the inputs of the conclusions are well-formed: 


1. if |T| Ra, ITI 3 |U] <, then T Roe T3 U <; 

2. if L| Ray ltl S jul <|T], thenTR,. t= u<T; 
3. if Tl Rap lt] + lul >T, then T Roet ub T; 
4. and similarly for the other judgements. 


Finally, the main theorem states that we can elaborate terms using implicit 
subtyping to explicit coercions, in a type-preserving way. 


Corollary 1 (Elaboration). Jf FT, T Ros T< and |I| Kup Y < |T|, then 
there exists t such that T Ko t <T, and |t| =t. 
Importantly, to establish this equivalence we do not need to develop any 
meta-theory for MLTT, „p: having the meta-theory of MLT'T.... is enough! 
Nonetheless, now that the equivalence between the two systems has been 
established, we can use it to transport meta-theoretic properties, such as nor- 
malization, from MLTT.,, to MLTT 


sub* 


5.3 Coherence 


An important property of elaboration is coherence, stating that the elaboration 
of a well-typed term does not depend on its typing derivation. In our algorithmic 
setting, a term has at most one typing derivation and so at most one elabora- 
tion. However, multiple well-typed terms in MLTT,,,, can still erase to the same 
MLTT,,,,, term. While only one of them is the result of elaboration as defined in 
Conotten ft all these distinct terms should still behave similarly. The following is 
a direct consequence of Lemma M, and shows that the equations imposed on coe 
are enough to give us a very strong form of coherence: it holds up to definitional 
equality, rather than in a weaker, semantic way. Another way to look at this is 
that the scenario of Example b] cannot happen, thanks to our new equations: if 
two terms erase to the same coercion-free one in MLTT „p, then they must be 
convertible in MLT'T... Hidden coercions cannot be responsible for failures of 
conversion. 


Theorem 2 (Coherence). Ift, u are such thatT Ros t <T andr Roe u<iT, 
with +. T and T kos T <, and moreover |t| = |u| (i.e. t and u correspond to 
the same MLTT. 


‘ap term), then T Koo tS u<T. 


Oe 
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Proof. By reflexivity, (obtained through the_equivalence with the declarative 
system), T Kos t = t<T. Using Theorem |I| (soundness of erasure), we get. 
IT] Kan {él = lt) << |T], and so also |F| Ku |¢] S lul < |T|. But then by Lemma 
(elaboration preserving conversion), we can come back, and obtain T Koe t S 
u<T. 


As particular cases of this coherence theorem, we can now exhibit the ne- 
cessity of the functor laws, sharpening the informal argument in the introduc- 
tion. For the identity law, any well-typed MLTT.oe term coe, 4t erases to 
|coe, 4 t| = |t| in MLTT 
r Foe 
have for adequately well-typed terms that |coe B,C COC 4, pt| = |t| = |coe AC tl, 
hence by coherence the conversion I Roe coeg ¢ coe 4 pt = coeg c t< must hold 
in MLTT.... as well. 


coe 
sub; and by coherence we obtain that the conversion 
coe, 4t =t<A is required in MLTT.,.. For the composition law, we 


coe 


6 Related and Future Work 


Adding Definitional Equations to Dependent Type Theory Strub bo) endows 
a dependent type theory with additional equations from first order decidable 
theories, with further extensions to a universe hierarchy and large eliminations 
in Jouannaud et al. and Barras et al. (a). Equational theories can sometimes 
be presented by a confluent set of rewrite rules, a case advocated by Cockx et al. 
They show through counter-examples that ensuring type preservation in 
dependent type theory is a subtle matter and do not ensure normalization of the 
resulting theory. On the theoretical side, categorical tools are being developed 
to prove general conservativity and strictification results for type theories tid 
extending the seminal work of Hofmann ba on conservativity of extensional 
type theory with respect to intensional type theory ; 


Formalized Metatheory with Logical Relations. Allais et al. (al propose to add 
a variety of fusion laws for lists, including our functor laws, to a simply typed 
A-calculus, only sketching an extension to dependent types. The three classes of 
normal forms (see Figures [/| and is inspired from their work. While we depart 
from their normalization by evaluation approach to obtain fine-grained results on 
convergence of iterated weak-head reduction, we expect that the original strategy 
should extend to dependent types. Formalizing logical relations for MLTT is a 
difficult exercise, pioneered by AbeLet al. | in AGDA using inductive-recursive 
definitions, and Wieczorek et al. [55] in CoQ using impredicativity. We build 
upon and extend a COQ reimplementation of the former B. 


Cast and Coercion Operators Pujet et al. ka, iol extend Abel et al. B to 
establish the metatheory of observational type theory [8]. Their work features 
a cast operator behaving similarly to coe, but guarded by an internal proof of 
equality instead of an external subtyping derivation. Their cast does not satisfy 
definitional transitivity, and we give evidence in 82) that such an extension 
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would break metatheoretical properties. Another cast primitive_with a similar 
operational behaviour appears in cast calculi for gradual typin , and indeed 
our proof that elaboration is type preserving in Section bois inspired_by a 
similar one for GCIC, which combines gradual and dependent types . In 
this case, casting is allowed between any two types, but the absence of guard 
is compensated by the possibility of runtime errors, making the type theory 
inconsistent. 


Functorial Maps for Inductive Type Schemes Luo et al. bo describe the con- 
struction of map for a class of strictly positive operators on paper, but do not 
implement it. Deriving map-like construction is a typical example of metapro- 
gramming frameworks for proof assistants, e.g. COQ-ELPI (19, in Cog, and 
the generics AGDA library derives a fold operation, from which map can 
be easily obtained. In a simply typed setting, Barral et al. [10] employ rewrit- 
ing techniques, in particular rewriting postponement, to show that an oriented 
variant of the functor laws are confluent and normalizing. These techniques rely 
on normalization, and could not be easily adapted to the dependent setting, 
however the idea of postponing the reduction step for identity_appears in our 
logical relation as well. In a short abstract, McBride et al. investigate a 
notion of functorial adapters that generalizes and unifies both the rule 
from bidirectional typing and the Cod rule from MLTT,,.... 


Subtyping, Dependent Types and Algorithmic Derivations Coherence of coercions 
in presence of structural subtyping is a challenging problem. To address the issue, 
Luo et al. introduce a notion of weak transitivity, weakening the coherence 
of the transitivity up to propositional equality. This solution does not interact 
well with dependency, forcing them to restrict structural subtyping_to a class of 
non-dependent inductives, e.g. excluding (positive) ©. Luo et al. show that 
the transitivity of coercions is admissible in presence of definitional compositions 
— called y-rules there — for inductive schemata. They rely on a conjecture that 
strong normalization and subject reduction hold in presence of these x-rules, 
explicitly mentioning that the metatheory with those additional equality rules 
is “largely unknown”. We provide such results, and have formalized them for 
List. We use a completely different proof technique, that scales to a theory with 
universes and large elimination. Both aforementioned papers employ a strict 
order for subtyping and do not consider the functor law for the identity, nor 
tackle decidability of type-checking. 

Aspinall et al. [9] investigate the relationship between subtyping and depen- 
dent types using algorithmic derivations to control the subtyping derivations 
for a variant of AP, a type theory logically much weaker than MLTT. Lungu 
et al. study an elaboration of a subsumptive presentation into coercive one 
in presence of a coherent signature of subtyping relations between base types. 
Assuming normalization, they show that subtyping extends to I] types, setting 
aside other parametrized types. While they work over an abstract signature of 
coercions, the functor laws we study are needed to instantiate this signature 
with meaningful datatypes while respecting their assumptions. We explain the 
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relation of these algorithmic system with bidirectional systems, notably the one 
of Abel et al. H, contributing to a sharper picture. 


Integration with Other Forms of Subtyping As we mentioned in Section B, our 
design of base subtyping was guided by simplicity. Our work on structural sub- 
typing should integrate mostly seamlessly with other, more ambitious forms of 
subtyping. Coercions between dependent records form the foundation of hier- 
archical organizations of mathematical structures 8, , and should be a 
simple extension of our framework. This could lead to vast simplification of the 
complex apparatus currently needed to deal with these hierarchies. 

Refinement subtyping is heavily used in F* but also in COQ’s PROGRAM 
to specify the behaviour of programs. Relativizing any result of decidability of 
type-checking to that of the chosen fragment of refinements, an implementa- 
tion of refinement subtyping using definitionally irrelevant propositions to 
preserve Aa Ti should be within reach. 

Our techniques for structural subtyping should also apply well in the context 
of algebraic approaches to cumulativity between universes bd . Cumulativity 
goes beyond mere subtyping, as it also involves definitional isomorphisms be- 
tween two copies of the same type at different universe levels. Our definitional 
functor laws already allow these to interact well with map operations, but it 
would be interesting to investigate which extra definitional equations are needed 
—and can be realized — to make structural cumulativity work seamlessly, hope- 
fully obtaining a translation from Russel-style to Tarski-style universes similar 
to our elaboration from MLT'T.,,,, to MLTT,,.. 


sub 


Data Availability Statement An archive containing the formalization pre- 
sented in Section i is available at bil. The Coq code is supplemented with a 
report and a Docker image. 
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1 Organization of the Artefact and Other Resources 


This document describes the Coq formalisation accompanying the paper Defini- 
tional Functoriality for Dependent (Sub) Types, more specifically the content of 
section 4. To complement this document, we also provide the following: 

— the REQUIREMENTS .md and INSTALL.md file with installation instructions; 

— the README .md file with a quick overview of the development with hyperlinks 
to the files of interest; 

— a DOCKER.md file, with installation and usage instructions for the provided 
docker image; 

— a Readme.v file, which gives a more in-depth overview of the development 
as a COQ file, using directly the main CoQ definitions and theorems, and is 
roughly similar to the present PDF description; 

— a doc/dependency_graph.png file, showing the structure of the develop- 
ment. 

We utilize the logical relation proof technique presented in Abel et al. in 
and build upon its Coq implementation due to Adjedj et al. [2]. This artefact 
contributes an extension of the formalisation with lists and definitional functor 
laws for lists. We refer to both articles for further details on the proof technique 
and the general setup of the formalisation. 


2 Syntax 


Terms (AutoSubst/Ast) The syntax of terms, along with the other files in the 
AutoSubst folder, are generated using the AUTOSUBST plugin. The definition 
of renaming and substitution are also automatically derived from the one of 
terms, and many boilerplate lemmas on them are too. Of particular interest are 
the constructors tList, tNil, tCons, tElim and tMap, respectively corresponding 
to the type constructor for lists, the empty list, list consing, the (dependent) 
eliminator for lists, and the definitionally functorial map operation. 


NormalForms Weak-head normal forms whnf, neutrals whne and compacted neu- 
trals whne_list are defined as inductive predicate on terms, i.e. as function of 
type term -> Prop, corresponding to Fig. 4 and 10 from the paper. In particu- 
lar, any compacted neutral is a normal form, and compacted neutrals can either 
consist of a map of a neutral, or simply of a neutral. 
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Reduction (UntypedReduction) Reduction, written [1 =» 1'], is the transi- 
tive closure of one-step reduction [1 = *'], defined as an inductive relation. In 
particular, we have the rules of Fig. 9, that is: 


mapNil : forall {A A' B f : term}, [tMap A B f (tNil A') = tNil B] 
mapCons : forall {A A' B fa l : term}, 

[tMap A B f (tCons A' a 1) = tCons B (tApp f a) (tMap A B f 1)] 
mapComp : forall {A B B' Cf g l : term}, 

whne l -> [tMap B C f (tMap A B' g 1) = tMap AC (comp A f g) 1] 


3 Typing and Conversion 


GenericTyping Following Abel et al. |i] and Adjedj et al. [2], the definition 
of the logical relation is parametrized by a notion of generic typing, a common 
interface to be instantiated with both the declarative and algorithmic notions of 
typing. This interface features a family of judgments for context well-formation, 
typing, conversion but also a conversion of neutrals and a (typed) reduction re- 
lation. These judgements should satisfy properties, listed for each predicate with 
a record (TypingProperties, ConvProperties, etc.), and grouped together in the 
GenericTypingProperties record. We use type-classes to automatically find these 
properties when needed, and attach generic notations (defined in Notations) to 
these type-classes too. 

For lists, generic typing closely resembles declarative typing, as defined in Fig. 
2. Generic conversion must contain reduction, which includes typed variants of 
the rules above. Moreover, we have congruence rules for constructors, for instance 
we have the following, where ta stands for an arbitrary generic conversion: 


forall (f : context) (A A' : term), 
[r |-[ ta ] A= A' : U] -> [F |-[ ta ] tList A = tList A' : U] 


Conversion is not constrained to be a congruence for destructors, but it must 
contain neutral conversion, which is a congruence for tMap and tListElim, pro- 
vided its main argument is too. Functor laws are also specified at the level of 
neutral conversion. 


DeclarativeTyping The definition of the declarative judgments, as inductive 
predicates, corresponds to Fig. 2, 3, and 9 — the latter being restricted to 
the case of lists. The corresponding instance of generic typing is defined in 
DeclarativeTypingInstance. Neutral comparison is instantiated simply with 
conversion, i.e. the declarative instance does not distinguish between the two 
notions. Typed reduction is instantiated as the conjunction of declarative con- 
version and untyped reduction. All other judgments are directly instantiated 
with the corresponding declarative one. 


AlgorithmicTyping The raw algorithmic typing judgments, akin to Fig. 5 and 
6, are again defined as inductive predicates. As we explain at the end of Section 
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2.3 in relation to Fig. 7, we must impose extra pre-conditions for these judg- 
ments to be well-behaved. The corresponding judgments, called bundled, are 
defined in BundledAlgorithmicTyping. In AlgorithmicConvProperties and 
AlgorithmicTypingProperties, we establish the properties of the conversion 
and typing judgments, to derive two new instances of generic typing. The first in- 
stance uses (bundled) algorithmic conversion, but declarative typing. It depends 
on consequences of the logical relation instantiated with the fully declarative 
instance. The second uses only bundled algorithmic judgments, but depends on 
consequences of the logical relation instantiated with the first, mixed instance. 


4 The Logical Relation 


The logical relation is built from two layers, first the reducibility layer attaching 
witnesses of reducibility to weak-head normal form and second the validity layer 
that closes reducibility under substitution. 


Definition of reducibility (LogicalRelation) The reducibility layer describes 
the types A that are reducible in a given context r and level 1, noted [F ||-<l> A ]. 
Informally, a type is reducible when it weak-head reduces to a (weak-head) nor- 
mal form, and the subterms of this normal form are themselves reducible. This 
weak-head normal form, when it exists, is unique by determinism of the weak- 
head reduction strategy. A witness of reducibility RA : [Tf ||-<l> A ] for the 
type A induce three subsequent predicates: 

— reducible conversion of a type B to A, noted [F ||-<l> A = B| RA], 

— reducibility of terms t of type A, noted [F ||-<l> t : A | RA], 

— reducible conversion of terms t,u of type A, noted [r ||-<l> t = u : A | RA]. 
These three predicates are packed in a single record LRPack. Reducible types are 
characterized inductively together with their associated LRPack using an indexed 
inductive LR. This encoding of a seemingly inductive-recursive definition using 
the inductively generated graph of the functions is known as small-induction re- 
cursion. The actual content of the reducibility relation is defined independently 
for each type formers as well as the neutrals types. We focus here on the re- 
ducibility of lists and refer to |R}, 1) for the other type formers. 

A type A is reducible as a list if it weak-head reduces to a type of shape 
tList par where the parameter type par is itself reducible in any weakening of 
the context r. This Kripke-style quantification on all future (weakened) contexts 
A < F is necessary for specifying reducibility in larger contexts. 

Reducible terms of list type are defined inductively in two steps: ListProp 
holds of canonical forms of type list (nil, cons and neutrals) with reducible argu- 
ments ; ListRedTm holds of terms that weak-head reduce to a reducible canonical 
form. The two inductive definitions must be mutual since the tail of a reducible 
tCons need not to be in weak-head normal form. A neutral term of list type is 
reducible if it is a well-typed neutral and moreover, if it is of shape tMap AB f 1 
with 1 necessary neutral itself, then the body f(wk1 F A) (tRel 0) of f must 
be reducible in an extended context T,,A. In the latter case, the type B of the 
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codomain of f cannot be required to be reducible since that would lead to non- 
well-founded definition for the logical relation, but it is reducibly convertible to 
the reducible parameter type par at which reducibility of lists is defined. 
Reducible conversion between terms of list type follow a similar pattern. In 
order to account for the identity functor law, the additional reducibility datum 
needed to relate two neutral terms also depends on the shape of the terms: 
— if both terms are respectively of the shape tMap A B f land tMap A' B' f' 1! 
then the bodies of f and f' must be reducibly convertible (congruence); 
— if only one of the term is of shape tMap A B f 1, then f must be reducibly 
convertible to the identity function, i.e. its body must be reducibly convert- 
ible to the first variable in context tRel 0. 


Properties of Reducibility In order to reason on reducibility, we derive the induc- 
tion principle corresponding to the inductive-recursive definition of the logical 
relation in LogicalRelation/Induction. This induction principle is then em- 
ployed to derive a variety of properties of reducibility in the LogicalRelation/ 
subdirectory: an inversion principle, irrelevance with respect to reducible con- 
version, reflexivity, symmetry and transitivity of reducible conversion, stability 
by weakening and by anti-reduction. 


Validity and the Fundamental Lemma Validity closes reducibility by reducible 
substitution using another encoding of an inductive-recursive schema. The fun- 
damental lemma then states that all components of a derivable declarative judge- 
ment are valid, in particular, terms well-typed for the declarative presentation 
are valid. The proof of the fundamental lemma proceed by an induction on declar- 
ative typing derivations, using that each declarative derivation step is admissible 
for the validity logical relation. These admissibility results are shown indepen- 
dently for each type former in the Substitution/Introductions/ subdirectory. 
Most type and term formers related to lists are in List, while the eliminator 
for lists is in ListElim. The proofs follow the description of the logical relation: 
first, we show that each type, term or conversion equation is reducible using the 
definition and properties of reducibility, and then that it is valid. To show that 
the functor laws are valid, we use that composition of functions (e.g. morphisms 
for list) is definitionally associative and unital. 


5 Type-checker (Decidability folder) 


Open Recursion for Partial Functions To side-step issues with the complex ter- 
mination argument of the conversion checker, we define it in an open recursion 
fashion, relying on a form of free monad. The functions for reduction, conversion 
and type checking are defined in Decidability/Functions. The main change 
compared to Adjedj et al. P| is the addition of compaction to weak-head eval- 
uation. Evaluation is implemented using a stack machine, on which elimination 
forms are pushed as they are encountered. When the machine hits a variable, 
for Adjedj et al. i) it means the whole term — the variable against the stack 
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of eliminations — is a neutral. However, this is not the case for us: we want to 
compute a compacted neutral. Thus, we add an extra compaction pass, imple- 
mented by the compact function, which merges successive map operations on the 
stack as we unpile them. 


Correctness of the Functions Correctness of the implementations is shown in 
three steps. First, we show Soundness, i.e. that a positive answer of the checker 
implies the corresponding (algorithmic) judgment. Next, we show Completeness, 
i.e. that whenever an algorithmic judgment holds, then the corresponding checker 
answers positively. Finally, we show Termination, i.e. that the checkers always 
terminates when run on well-typed inputs. Again, the main innovation has to 
do with compaction. To reason about it, we need to make explicit the invariant 
that the stack is always “well-typed”, in a suitable sense, see typed_stack in 
Completeness. 


6 Main properties 


The main properties we obtain from the logical relations and the certified checker 
are the following. First, every well-typed term and type are (weakly) normalising 
(proven in Normalisation): 
Record WN (t : term) := { 

wn_val : term; wn_red : [ t => wn_val ]; wn_whnf : whnf wn_val; }. 
Corollary normalisation {F A t} : [F |-[de] t : A] -> WN t. 
Corollary type_normalisation {Ff A} : [F |-[de] A] -> WN A. 


Conversion and typing are decidable (proven in Decidability): 


Definition check_conv (T : context) (T t t' : term) (hr : O- r]) 
(hT : [F |- T]) (ht: [F |- t : T]) (ht' : [F |- t' : T]): 
[r |-tz=t':T]+~[F]-t=t': T]. 

Definition check_full F (T t : term) : [F |- t: T] + ~[f |- t: T]. 


Finally, the type system seen as a logic is consistent, and canonicity holds at the 
type of natural numbers: 


Lemma consistency {t} : [e |- t : tEmpty] -> False. 
Lemma nat_canonicity {t} : [e |- t : tNat] -> 
> n : nat, [e |- t = Nat.iter n tSucc tZero : tNat]. 
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